2401bis Issue # 75 -- TOS (now ECN) copying in tunnel mode

[Karen Seo <kseo@bbn.com>]

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	75

Title:		TOS (now DSCP and ECN) copying in tunnel mode

Description:
============
The issue was raised that a Trojan Horse "behind" the IPsec 
implementation could use the TOS field to exfiltrate data.

Note: TOS octet (IPv4) and Traffic Class octet (IPv6) have been 
replaced by the 6 bit Differentiated Services field (aka 
Differentiated Services Codepoint (DSCP)) and the 2 bit Explicit 
Congestion Notification field (ECN).


Proposed approach:
==================
2401bis will be modified with text along the lines of:

"An IPsec implementation MAY be configurable re: how it processes the 
DSCP field for tunnel mode for transmitted packets. For outbound 
traffic, one configuration setting will operate as described in the 
section on IPv4 and IPv6 header processing for IPsec tunnels. Another 
will allow the field to be mapped to a fixed value, which MAY be 
configured on a per SA basis. (The value might really be fixed for 
all traffic outbound from a device, but per SA granularity allows 
that as well.) This configuration option allows a local 
administrators to decide whether the covert channel provided by 
copying these bits outweighs the benefits of copying.

Thank you,
Karen