IETF Logo Mail Archive

RE: [Diffserv] ToS, IPSec and Anti replay

Black_David@emc.com Fri, 07 July 2000 18:52 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA09767 for <diffserv-archive@odin.ietf.org>; Fri, 7 Jul 2000 14:52:28 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA19803; Fri, 7 Jul 2000 14:27:06 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id OAA19782 for <diffserv@ns.ietf.org>; Fri, 7 Jul 2000 14:27:03 -0400 (EDT)
Received: from maho3msx2.isus.emc.com (maho3msx2.isus.emc.com [168.159.208.81]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA08835 for <diffserv@ietf.org>; Fri, 7 Jul 2000 14:27:01 -0400 (EDT)
From: Black_David@emc.com
Received: by maho3msx2.isus.emc.com with Internet Mail Service (5.5.2448.0) id <3334WQJ2>; Fri, 7 Jul 2000 14:26:25 -0400
Message-ID: <0F31E5C394DAD311B60C00E029101A070148FADA@corpmx9.isus.emc.com>
To: sfanning@cisco.com, p_muley@yahoo.com
Cc: diffserv@ietf.org
Subject: RE: [Diffserv] ToS, IPSec and Anti replay
Date: Fri, 07 Jul 2000 14:26:19 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain
Sender: diffserv-admin@ietf.org
Errors-To: diffserv-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Diffserv Discussion List <diffserv.ietf.org>
X-BeenThere: diffserv@ietf.org

> So, just so I am clear. If I have 2 classes of service and one tunnel
> for both, and packets are out of order, you are saying that it is the
> IPSec anti-replay windows problem? The solution is a tunnel per class of
> service.

That's one possibility.  Here's the complete story -- IF

(1) You have two classes of service AND
(2) You want to run them in IPSec tunnel mode AND
(3) You want them differentiated in a way that reorders packets within the
tunnel AND
(4) You want to use IPSec anti-replay protection AND
(5) You want to use a single tunnel.

THEN you have a problem, because the last three items cannot in general be
done at
the same time without having the IPSec anti-replay protection complain or
worse.

There are three possible solutions based on which item is left out:

(A) Leave out (3) by marking the same class of service on the outer
	IP headers even though there are multiple classes carried in the
tunnel.
	There will be no packet reordering within the tunnel.
(B) Leave out (4) by not configuring IPSec anti-replay protection.
(C) Leave out (5) by using a tunnel per class of service that you want
differentiated.
	This uses additional resources to support the additional tunnels.

Again, please check the text in draft-ietf-diffserv-tunnels-01.txt, which
is in informal last call at the moment.  The text in Sections 5.1 and 5.2
is supposed to address *exactly* this issue - if the text is not
sufficiently clear, I need to make it so, and would appreciate suggestions.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140, FAX: +1 (508) 497-6909
black_david@emc.com  Cellular: +1 (978) 394-7754
---------------------------------------------------


_______________________________________________
diffserv mailing list
diffserv@ietf.org
http://www1.ietf.org/mailman/listinfo/diffserv
Archive: http://www-nrg.ee.lbl.gov/diff-serv-arch/

v2.39.1 | Report a Bug | By Email | System Status