Re: QoS and bandwidth throttling in IPSEC networks

["TC Wolsey" <twolsey () realtech com>]

Just a thought that I have not seen implemented anywhere...assuming that the edge device (IPSec gateways typically) can 
form SAs with both VPN partners (ie. company site_a to company site_b) as well as gateways at the transport provider, 
you should be able to create multiple IPSec encapsulations to differentiate confidential traffic flows to your 
transport provider. The result could be something like an ESP tunnel from site_a to site_b for snmp traffic. The IPSec 
gateway at site_a encaps the traffic to site_b in an ESP tunnel , and then forms an AH transport SA to the providers 
IPSec gateway and encaps the ESP tunnel traffic with an AH transport. The provider can then do The Right Thing with the 
traffic without having the examine anything except the IPSec headers. The IPSec DOI and IKE have space reserved in the 
spots necessary to do this kind of thing, but I do not think that you will see it implemented in the real world very 
soon :-( My experience has been that getting independent implementations of IPSec/IKE to play nice is hard enough at 
this point, although the 32 bits of SPI granularity for traffic classification in the scenario above beats a 3 bit TOS 
field any day...

--tcw

> > > Eric Vyncke <evyncke () cisco com> 03/04/99 04:03PM >>>
IPSec in transport mode does not hide the TOS setting so
QoS tagging will work provided that classification (e.g. setting the TOS) is done
before encryption.

IPSec in tunnel mode requires to copy the TOS byte into the
external IP header from the encapsulated IP header so QoS tagging will
work provided that classification (e.g. setting the TOS) is done
before encryption.

RSVP will not work...

Just my 0.01 EUR

Regards

-eric

At 14:02 4/03/99 +0200, Jyri Kaljundi wrote:
> More of encryption questions than firewalls, but this does get mixed quite
> often nowadays:
>
> How are the Quality of Service and bandwidth throttling issues handled in
> LAN to LAN encryption products? 
>
> How are these issues generally handled in IPSEC packets, like how can
> ISP's and public networks offer QoS for encrypted IPSEC packets? Is it
> possible to tag the packets (like voice, low quality, e-mail etc) and is
> there and RFC on this?
>
> Jüri Kaljundi
> jk () stallion ee                     Mustamäe tee 55, Tallinn 10621, Estonia
> AS Stallion                        Tel: +372-656 7720
> http://www.stallion.ee/            Fax: +372-656 7727

Eric Vyncke                        Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458