Hi, Please see inline.
On Tue, 2020-12-01 at 13:46 +0100, Rafa Marin-Lopez wrote: > Dear Magnus: > > > El 27 nov 2020, a las 9:56, Magnus Westerlund < > > [email protected]> escribió: > > > > So as long as the option is to turn on "Normal Mode" for tunnel > > processing of the ECN bits or not then you can disregard the whole thing > > about > > RFC 8311. The applications that will use alternative behaviors for ECN will > > have > > to know that the consumer understand the semantics. So in this case as the > > IPSec > > tunnel only copies the bits back and forth no additional action is needed. > > [Authors] We have a comment about this and regarding RFC 6040. As we mentioned > in our previous e-mail, the RFC 6040 states: > > "Modes: RFC 4301 tunnel endpoints do not need modes and are not > updated by the modes in the present specification. Effectively, > an RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of > encapsulation, which is unchanged from RFC 4301 encapsulation. > It will never need the OPTIONAL compatibility mode as explained > in Section 4.3”. > > Therefore an IPsec tunnel ALWAYS copy the ecn bits from the inner to the outer > header (normal mode). We do not see any other alternative. > > In consequence, after this discussion, our proposal would be just to remove > the leaf ecn since, according to this text, there is a single option: copy. > > Does it sound reasonable? I might be missing something here but I don't think removing the leaf is the correct option unless you plan to mandate ECN processing by both endpoints to be always on. So I think there is a binary configuraiton option between enabling the RFC6040 processing between inner and outer headers, and to not have ECN enabled at all, i.e. set ECN bits to Not-ECN on the outer encapsulation. Copying the bits on the ingress and not have the egress do the corresponding operation have some negative consequences to fairness. Also, I cringe a bit when you says copy. Becasue that what 6040 + 4301 defines in not strictly copying. That is why it is important to have the right formulation and not call it copy. Cheers Magnus
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
