[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 transport concerns
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Black" == Black David <Black_David@emc.com> writes:
Black> (1) Any system running IKEv2 is REQUIRED to handle ECN (Explicit
I think that this may be misplaced. I think that RFC2401bis is where
to say this.
Black> (2) Repeat after me ... "IKEv2 will not negotiate transport QoS".
Okay, I'm not even sure that we all know what it is that we won't be doing.
Are you telling me that, if a gateway system is aware of QoS that was
requested by an end system, that it can never inform the other gateway of
this fact?
Clearly, a gateway system that knows of a QoS requested by an end system
(whether via RSVP or other) could easily present appropriate signaling for
the resulting tunnel.
Black> For diffserv code points, the proposal is for IKEv2 to have
Black> each endpoint of a tunnel-mode or UDP-encapsulated-tunnel-mode
Black> SA report to the other how it treats the outer DSCP values
Black> on decapsulation (copy to inner vs. discard - nothing more
Black> complex is needed, see RFC 2983 for a longer discussion).
Black> Negotiating or configuring this ought to be out of scope for
Black> IKEv2, but reporting what will be done can be a useful check
Black> that something stupid isn't about to happen.
Okay, so this is just advice.
Black> In addition, it's important to negotiate encapsulation mode needs
Black> separately from crypto processing - this turns out to dovetail
Black> nicely
Black> with the NAT traversal requirements, yielding four encapsulation
Black> modes:
yes, this is a very good idea.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPevqh4qHRg3pndX9AQHu9AQAywpNxdLs2C4+MttnkHDQomolhwhqUAG1
+sVku7zw17sUW4DFkx75zkftH3gl/Vpt17V4uCQp+r6MIzqqskVdQ4HRUbocO96/
zi8+pVx7O0j4HMr/h0dmKx1fYg7/Q10n4MjU4Mzlj35zSBrVto+zqvEdy4gD+/3Z
YbAEelFvT9s=
=Z4GM
-----END PGP SIGNATURE-----