Yes now it is clear that IKE is not supposed to do DSCP negotiation Thanks for the explanations.
Richardson's comment. >>> >>>I don't think that they need multiple DSCPs. >>>I think that they simply want to ask the UE to use a particular code point. >>>It seems like a very simple Notification would work fine, and I think that >>>the people doing this are in control of the IKE/IPsec stack on the UE, and >>>the IKE/IPsec stack on the peer, with the intervening network under their >>>influence, but not their control [PAUL] I have gone through RFC 5996 section 3.10.1 notify message types. But could not find a suitable message type to convey dscp information. Can you suggest which notification message should be used here ? Thanks, Paul On Wed, Nov 6, 2013 at 5:48 AM, Michael Richardson <mcr+i...@sandelman.ca>wrote: > > Tero Kivinen <kivi...@iki.fi> wrote: > > Michael Richardson writes: > >> For a given IPsec SA, they want to overwrite/force/set the DSCP to a > >> particular value. It will not depend upon the traffic goes into it > >> (but, the SPD selectors may quite specificly pick the traffic). > > > If I think RFC4301 already requires that. I.e. it requires > > implementations to be able to map DSCP values to suitable value. If > > the sender knows how to pick up suitable DSCP values and they are > then > > tunneled through the IPsec tunnel, then the receiving GW can use > those > > to map those values to the suitable values for the other domain. > > Yes, I did quote the part of 4301 that mandates that it be settable. > > > I am missing how does the trasmitting this information from SGW to > SGW > > affect the IPsec processing? I do not think we should use IKE as > > transmitting all kind of stuff that other end might be interested in. > > It does not affect any processing. Who said that it did? > > The question is, how does the UE know what DSCP to put on the ESP packet? > Yes, it could come from another protocol, but which? IKE already did the > authentication, and so already established what entity is asking for > service. > One might statically configure things, but if the UE moves around the exact > DSCP might change. > > As David Black pointed out, there might be Diffserv boundaries. In that > case, the UE has to put the DSCP appropriate for the network the UE is > attached to, and for things to work, there either has to be DSCP rewriting > occuring at the diffserv boundary. But, all that matters is that the UE put > the DSCP in, the network takes care of the rest.h > The gateway might know where the diffserv boundaries are by special > knowledge, but there is no reason to need to tell the UE about it. > > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
