Michael Richardson writes: > For a given IPsec SA, they want to overwrite/force/set the DSCP to a > particular value. It will not depend upon the traffic goes into it > (but, the SPD selectors may quite specificly pick the traffic).
If I think RFC4301 already requires that. I.e. it requires implementations to be able to map DSCP values to suitable value. If the sender knows how to pick up suitable DSCP values and they are then tunneled through the IPsec tunnel, then the receiving GW can use those to map those values to the suitable values for the other domain. As the IPsec processing is not affected by that mapping, there is no point of negotiating it in the IKE. The DSCP can be used as classifier which selects which packets are put to which SA, and this is required because of the reordering problems, and this is already handled in the IPsec. I am missing how does the trasmitting this information from SGW to SGW affect the IPsec processing? I do not think we should use IKE as transmitting all kind of stuff that other end might be interested in. It is better to use some protocol suitable for it. For example our configuration payload tries to send only minimal set of parameters which affect the IPsec processing (yes, there are some extra there like DNS, and NBNS), and rest of the configuration parameters should be gotten from the DHCP server (whose address is sent inside the configuration payload). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec