> What semantics do you think you can impose on something like that?
>
> => just associate a QoS to a SPI and send the information (ie. how to
> classify packets (addresses, ..., SPI) and the QoS) to the classifier
> (which is by definition on-path).
That could be brute-forced into working if someone invented such a
protocol. However, it seems that you could accomplish the same goal
by having the originator of the traffic mark the diffserv bits of the
packet "appropriately", with the classifier merely having some policy
saying which nodes are allowed to send ipsec traffic with various
markings, possibly translating the markings appropriately.
> Another solution is to ask the receiver to be less random (again the
> info will be spread only on-path).
I doubt that this option would be acceptable to the ipsec community.
> PPS: Bill, as a IPsec person, would you like to have upper layer protocol
> and port revealed in flow labels?
No, that leaks information useful to someone doing traffic analysis;
I'd rather let the node doing the ipsec encapsulation mark it with a
much coarser-grained QoS class.
(besides, I'd just hack my implementation to let you configure the
"most favorable treatment" port number in the flow label..)
- Bill
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
