Black, David <[email protected]> wrote: > Be careful ? if the IPsec SA or tunnel crosses diffserv domains, the outer DSCP > won?t have the same meaning at both ends.
True, but let's no boil any oceans here.
> The initial solution looks like it?s single-domain ? access concentrator
to
> client on a single network. Nonetheless, the solution needs to be
designed for
> at least a couple of things beyond one DSCP and one domain, even if they
won?t
> be used initially:
Yes.
> - Detect Diffserv domain crossing that makes DSCP not usable by client
How could one do this?
> - Multiple DSCPs are involved, e.g., AF drop precedence with multiple
DSCPs is
> being used with rate-based traffic shaping.
I don't think that they need multiple DSCPs.
I think that they simply want to ask the UE to use a particular code point.
It seems like a very simple Notification would work fine, and I think that
the people doing this are in control of the IKE/IPsec stack on the UE, and
the IKE/IPsec stack on the peer, with the intervening network under their
influence, but not their control.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
pgp76Mwuy2TMo.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
