RFC 4306 specifically requires implementations to support multiple parallel child SAs.
If you use a different SA for each QoS class, you should not have problems with the replay window ________________________________ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Prabhat Hegde Sent: Wednesday, March 25, 2009 12:58 PM To: ipsec@ietf.org Subject: [IPsec] is there any proposed solution to solve the anti-replay problem for IPsec pkts when subject to QOS classification Hi, In case we do QOS re-ordering (caused due to shaping & queueing) for traffic classes after encryption, the encrypted pkts get re-ordered thus changing the order of sequence numbers. At the receiving end, such out-of-order pkts are droped by IPsec since they do not fall under the anit-replay window range. Is there any proposed solution/draft which caters to this problem? If yes, it would be great if someone can point me to it. -- With regards, Prabhat Email secured by Check Point
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec