Re: [IPsec] WESP - Roadmap Ahead

Tero Kivinen <kivinen@iki.fi> Mon, 16 November 2009 13:09 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B01BF3A6AA3 for <ipsec@core3.amsl.com>; Mon, 16 Nov 2009 05:09:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KiQn-yFE3Ja for <ipsec@core3.amsl.com>; Mon, 16 Nov 2009 05:09:16 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 9FA083A680C for <ipsec@ietf.org>; Mon, 16 Nov 2009 05:09:15 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nAGD95iD026258 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Nov 2009 15:09:05 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nAGD94u5019263; Mon, 16 Nov 2009 15:09:04 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19201.20208.563706.519993@fireball.kivinen.iki.fi>
Date: Mon, 16 Nov 2009 15:09:04 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350AB2C86306@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <19200.8786.266973.313959@fireball.kivinen.iki.fi> <7C362EEF9C7896468B36C9B79200D8350AB2C86306@INBANSXCHMBSA1.in.alcatel-lucent.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 2 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 13:09:16 -0000

Bhatia, Manav (Manav) writes:
> And the reason why you might want to use WESP is to prioritize
> certain protocol packets over the others, as is normally done for v4
> control packets (e.g. OSPFv3 HELLOs and ACKs over other OSPFv3
> packets) 

You cannot do that, as if the packets get reordered more than what is
the replay window size of the responder, then older packets will get
dropped. If you want to do QoS you need to use multiple IPsec SAs each
carrying only one traffic for one QoS level.

See RFC4301 section 4.1.
-- 
kivinen@iki.fi