Black, David <david.bl...@emc.com> wrote: > Be careful ? if the IPsec SA or tunnel crosses diffserv domains, the outer DSCP > won?t have the same meaning at both ends.
True, but let's no boil any oceans here. > The initial solution looks like it?s single-domain ? access concentrator to > client on a single network. Nonetheless, the solution needs to be designed for > at least a couple of things beyond one DSCP and one domain, even if they won?t > be used initially: Yes. > - Detect Diffserv domain crossing that makes DSCP not usable by client How could one do this? > - Multiple DSCPs are involved, e.g., AF drop precedence with multiple DSCPs is > being used with rate-based traffic shaping. I don't think that they need multiple DSCPs. I think that they simply want to ask the UE to use a particular code point. It seems like a very simple Notification would work fine, and I think that the people doing this are in control of the IKE/IPsec stack on the UE, and the IKE/IPsec stack on the peer, with the intervening network under their influence, but not their control. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
pgp76Mwuy2TMo.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec