[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Will ALTQ queue's ecn setting work with IPsec flows?
RFC 3168, The Addition of Explicit Congestion Notification (ECN) to
> 9.2.1. Negotiation between Tunnel Endpoints
> This section describes the detailed changes to enable usage of ECN
> over IPsec tunnels, including the negotiation of ECN support between
> tunnel endpoints. This is supported by three changes to IPsec:
> * An optional Security Association Database (SAD) field indicating
> whether tunnel encapsulation and decapsulation processing allows
> or forbids ECN usage in the outer IP header.
> * An optional Security Association Attribute that enables
> negotiation of this SAD field between the two endpoints of an SA
> that supports tunnel mode.
> * Changes to tunnel mode encapsulation and decapsulation
> processing to allow or forbid ECN usage in the outer IP header
> based on the value of the SAD field. When ECN usage is allowed
> in the outer IP header, the ECT codepoint is set in the outer
> header for ECN-capable connections and congestion notifications
> (indicated by the CE codepoint) from such connections are
> propagated to the inner header at tunnel egress.
> If negotiation of ECN usage is implemented, then the SAD field SHOULD
> also be implemented. On the other hand, negotiation of ECN usage is
> OPTIONAL in all cases, even for implementations that support the SAD
> field. The encapsulation and decapsulation processing changes are
> REQUIRED, but MAY be implemented without the other two changes by
> assuming that ECN usage is always forbidden. The full-functionality
> alternative for ECN usage over IPsec tunnels consists of the SAD
> field and the full version of encapsulation and decapsulation
> processing changes, with or without the OPTIONAL negotiation support.
> The limited-functionality alternative consists of a subset of the
> encapsulation and decapsulation changes that always forbids ECN
Does such SAD functionality implemented? Will ALTQ queue's ecn setting
work with IPsec (and any IP-level proto) flows ?
Alexey E. Suslikov