Re: QoS considerations

[Stephen Kent <kent@xxxxxxx>]

At 11:53 AM -0800 3/21/02, Lars Eggert wrote:
> Black_David@xxxxxxx wrote:
> > IPsec currently makes QoS for tunnels somewhat difficult, as
> > RFC 2401 requires copying the DSCP from the inner header
> > to the outer header on tunnel ingress, and discarding it at tunnel 
> > egress, even if it's been changed.  This is
> > overly severe, and I believe/hope that it will be made more
> > flexible in the new version of RFC 2401.
>
> I can understand why this should be revisited, but it also requires 
> a revision of RFC 2003. RFC 2401 already specifies some incompatible 
> rules (e.g. for DF flag processing) that are in conflict with IPIP 
> encapsulation as standardized in RFC 2003. (See 
> draft-touch-ipsec-vpn-03.txt.) It may be useful to update 2401 and 
> 2003 together.
>
> Lars
> --

we already anticipate updating 2401 to describe appropriate ECN 
handling. I also anticipate closer alignment with 2003; there has 
been a view that tunnel mode was intentionally different from 
IP-in-IP tunneling. I don't hold that view is necessarily true in all 
respects; tunnel mode is different in terms of offering certain 
controls to a security administrator to manage covert channels (which 
would not normally be an issue) and in ensuring that the receiver 
examines the right portions of the received packet re access 
controls. to the extent that there are no adverse security 
implications, IP-in-IP processing should be applicable in IPsec.

Steve