[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Will ALTQ queue's ecn setting work with IPsec flows?

To: misc@openbsd.org
Subject: Will ALTQ queue's ecn setting work with IPsec flows?
From: "Alexey E. Suslikov" <cruel@texnika.com.ua>
Date: Wed, 11 Feb 2004 10:21:15 +0200

Dear misc@openbsd.org,

RFC 3168, The Addition of Explicit Congestion Notification (ECN) to
IP, says:

> 9.2.1.  Negotiation between Tunnel Endpoints
> 
>    This section describes the detailed changes to enable usage of ECN
>    over IPsec tunnels, including the negotiation of ECN support between
>    tunnel endpoints.  This is supported by three changes to IPsec:
> 
>       * An optional Security Association Database (SAD) field indicating
>         whether tunnel encapsulation and decapsulation processing allows
>         or forbids ECN usage in the outer IP header.
> 
>       * An optional Security Association Attribute that enables
>         negotiation of this SAD field between the two endpoints of an SA
>         that supports tunnel mode.
> 
>       * Changes to tunnel mode encapsulation and decapsulation
>         processing to allow or forbid ECN usage in the outer IP header
>         based on the value of the SAD field.  When ECN usage is allowed
>         in the outer IP header, the ECT codepoint is set in the outer
>         header for ECN-capable connections and congestion notifications
>         (indicated by the CE codepoint) from such connections are
>         propagated to the inner header at tunnel egress.
> 
>    If negotiation of ECN usage is implemented, then the SAD field SHOULD
>    also be implemented.  On the other hand, negotiation of ECN usage is
>    OPTIONAL in all cases, even for implementations that support the SAD
>    field.  The encapsulation and decapsulation processing changes are
>    REQUIRED, but MAY be implemented without the other two changes by
>    assuming that ECN usage is always forbidden.  The full-functionality
>    alternative for ECN usage over IPsec tunnels consists of the SAD
>    field and the full version of encapsulation and decapsulation
>    processing changes, with or without the OPTIONAL negotiation support.
>    The limited-functionality alternative consists of a subset of the
>    encapsulation and decapsulation changes that always forbids ECN
>    usage.  

Does such SAD functionality implemented? Will ALTQ queue's ecn setting
work with IPsec (and any IP-level proto) flows ?
   
Truly yours
 Alexey E. Suslikov

Follow-Ups:
- Re: Will ALTQ queue's ecn setting work with IPsec flows?
  - From: Kenjiro Cho <kjc@csl.sony.co.jp>

Prev by Date: Re: Updating from 3.4 to -current
Next by Date: ghostscript
Prev by thread: Re: Updating from 3.4 to -current
Next by thread: Re: Will ALTQ queue's ecn setting work with IPsec flows?
Index(es):
- Date
- Thread