[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECN and issue 58

To: Black_David@emc.com
Subject: Re: ECN and issue 58
From: Joe Touch <touch@ISI.EDU>
Date: Fri, 05 Sep 2003 15:06:23 -0700
CC: ipsec@lists.tislabs.com
In-Reply-To: <B459CE1AFFC52D4688B2A5B842CA35EA7A4F18@corpmx14.us.dg.com>
Organization: USC/ISI
References: <B459CE1AFFC52D4688B2A5B842CA35EA7A4F18@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624



Black_David@emc.com wrote:

> Joe,
> 
> 
>>>My proposed text:
>>>
>>>When IPsec tunnels behave as originally specified in [RFC 2401], ECN
> 
> usage
> 
>>>is not appropriate for the outer IP headers because tunnel decapsulation
>>>processing discards ECN congestion indications to the detriment of the
>>>network.  ECN support for IPsec tunnels for IKEv1-based IPsec requires
>>>multiple  operating modes and negotiation (see [RFC 3168]).  IKEv2
>>>simplifies this situation requiring that ECN be usable in the outer IP
>>>headers of all tunnel-mode IPsec SAs created by IKEv2.  Specifically,
>>>tunnel encapsulators and decapsulators for all tunnel-mode Security
>>>Associations (SAs) created by IKEv2 MUST support the ECN
> 
> full-functionality
> 
>>>option for tunnels specified in [RFC3168] and MUST implement the tunnel
>>>encapsulation and decapsulation processing specified in [RFC2401bis] to
>>>prevent discarding of ECN congestion indications.
>>>
>>>NB: [RFC 2401] reference is informative, [RFC 3168] and [2401bis] are
>>>normative.
>>
>>It might be useful to consider that RFC2168 already specifies how ECN 
>>interacts with IP in IP (RFC2003) tunneling (sec 9.1), and that IPsec 
>>tunnels should follow that convention.
> 
> 
> Yes, that was considered, and the latter reference to [RFC3168] in my text
> is to sec 9.1 -  it would be good to make that explicit (i.e., "... ECN
> full-functionality option for tunnels specified in Section 9.1 of
> [RFC3168].").

Yes.

>>This is keeping with another goal, i.e., having 2401bis point to RFC2003 
>>excepting only security caveats, rather than (largely) respecifying an 
>>existing specification.
> 
> 
> If 2401bis goes that route, that would be ok, but 2401bis has to do
> something to override RFC2401 and Section 9.2 of RFC3168.  I would
> prefer to not point to RFC2003 from IKEv2, and leave it to 2401bis to
> decide whether to say that this is realized by reference to RFC2003
> (... provided that you can convince Steve Kent that the result doesn't
>  break any IPsec security properties ... ).

Sure - it's probably better to have all that info in one place - in 2401bis.

Joe

Prev by Date: RE: Ipsec and IPV6
Next by Date: Last call on 2401bis issues: #47, #48, #49, #57
Prev by thread: Re: ECN and issue 58
Next by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Index(es):
- Date
- Thread