[Cerowrt-devel] cerowrt 3.6.9-5

Michael Richardson mcr at sandelman.ca
Mon Dec 10 09:22:24 EST 2012


>>>>> "Dave" == Dave Taht <dave.taht at gmail.com> writes:
    Dave> I worry about encapsulating protocols copying the inner TOS/Diffserv
    Dave> bits to the outer IP header. Using a shaper that is aware of these
    Dave> bits would end up delivering packets that depend on a sequential
    Dave> encrypted stream out of order.

1) RFC4301 is quite specific about this... it permits a window of up to
   64 (even 128) out of order packets.   It's not a problem.

    Dave> My head explodes when trying to understand AH and ipsec (strongswan),
    Dave> however, and I'd rather set up one and look at packets than try to
    Dave> understand the code. ENOTIME... and that leaves ipip etherip and
    Dave> encap, and l2tp left to look at.

2) Strongswan, unless it added in it's IKEv2 implementation, could
negotiate how to set/copy ECN bits.  However, that was never in openswan
historically (from which strongswan forked)

L2TP generally is no longer used without IPsec.
The ECN bits are "fresh" on new packets.... the issue is propogating
them into the inner packet on decap.  I don't know if the Netkey kernel
IPsec code is compliant to RFC3168 or not, but it's a decap concern, not
an encap shaping concern.

RFC4306:
2.24.  Explicit Congestion Notification (ECN)

   When IPsec tunnels behave as originally specified in [RFC2401], ECN
   usage is not appropriate for the outer IP headers because tunnel
   decapsulation processing discards ECN congestion indications to the
   detriment of the network.  ECN support for IPsec tunnels for IKEv1-
   based IPsec requires multiple operating modes and negotiation (see
   [RFC3168]).  IKEv2 simplifies this situation by requiring that ECN be
   usable in the outer IP headers of all tunnel-mode IPsec SAs created
   by IKEv2.  Specifically, tunnel encapsulators and decapsulators for
   all tunnel-mode SAs created by IKEv2 MUST support the ECN full-
   functionality option for tunnels specified in [RFC3168] and MUST
   implement the tunnel encapsulation and decapsulation processing
   specified in [RFC4301] to prevent discarding of ECN congestion
   indications.

RFC4301:
5.1.2.  Header Construction for Tunnel Mode

...
    o IPsec describes how to handle ECN or DS and provides the ability
      to control propagation of changes in these fields between
      unprotected and protected domains.  In general, propagation from a
      protected to an unprotected domain is a covert channel and thus
      controls are provided to manage the bandwidth of this channel.
      Propagation of ECN values in the other direction are controlled so
      that only legitimate ECN changes (indicating occurrence of
      congestion between the tunnel endpoints) are propagated.  By
      default, DS propagation from an unprotected domain to a protected
      domain is not permitted.  However, if the sender and receiver do
      not share the same DS code space, and the receiver has no way of
      learning how to map between the two spaces, then it may be
      appropriate to deviate from the default.  Specifically, an IPsec
      implementation MAY be configurable in terms of how it processes
      the outer DS field for tunnel mode for received packets.  It may
      be configured to either discard the outer DS value (the default)
      OR to overwrite the inner DS field with the outer DS field.  If
      offered, the discard vs. overwrite behavior MAY be configured on a
      per-SA basis.  This configuration option allows a local
      administrator to decide whether the vulnerabilities created by
      copying these bits outweigh the benefits of copying.  See
      [RFC2983] for further information on when each of these behaviors
      may be useful, and also for the possible need for diffserv traffic
      conditioning prior or subsequent to IPsec processing (including
      tunnel decapsulation).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20121210/acee35e5/attachment.sig>


More information about the Cerowrt-devel mailing list