Firewall Wizards mailing list archives
Re: QoS and bandwidth throttling in IPSEC networks
From: "TC Wolsey" <twolsey () realtech com>
Date: Fri, 05 Mar 1999 15:38:21 -0500
Just a thought that I have not seen implemented anywhere...assuming that the edge device (IPSec gateways typically) can form SAs with both VPN partners (ie. company site_a to company site_b) as well as gateways at the transport provider, you should be able to create multiple IPSec encapsulations to differentiate confidential traffic flows to your transport provider. The result could be something like an ESP tunnel from site_a to site_b for snmp traffic. The IPSec gateway at site_a encaps the traffic to site_b in an ESP tunnel , and then forms an AH transport SA to the providers IPSec gateway and encaps the ESP tunnel traffic with an AH transport. The provider can then do The Right Thing with the traffic without having the examine anything except the IPSec headers. The IPSec DOI and IKE have space reserved in the spots necessary to do this kind of thing, but I do not think that you will see it implemented in the real world very soon :-( My experience has been that getting independent implementations of IPSec/IKE to play nice is hard enough at this point, although the 32 bits of SPI granularity for traffic classification in the scenario above beats a 3 bit TOS field any day... --tcw
Eric Vyncke <evyncke () cisco com> 03/04/99 04:03PM >>>
IPSec in transport mode does not hide the TOS setting so QoS tagging will work provided that classification (e.g. setting the TOS) is done before encryption. IPSec in tunnel mode requires to copy the TOS byte into the external IP header from the encapsulated IP header so QoS tagging will work provided that classification (e.g. setting the TOS) is done before encryption. RSVP will not work... Just my 0.01 EUR Regards -eric At 14:02 4/03/99 +0200, Jyri Kaljundi wrote:
More of encryption questions than firewalls, but this does get mixed quite often nowadays: How are the Quality of Service and bandwidth throttling issues handled in LAN to LAN encryption products? How are these issues generally handled in IPSEC packets, like how can ISP's and public networks offer QoS for encrypted IPSEC packets? Is it possible to tag the packets (like voice, low quality, e-mail etc) and is there and RFC on this? Jüri Kaljundi jk () stallion ee Mustamäe tee 55, Tallinn 10621, Estonia AS Stallion Tel: +372-656 7720 http://www.stallion.ee/ Fax: +372-656 7727
Eric Vyncke Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- QoS and bandwidth throttling in IPSEC networks Jyri Kaljundi (Mar 04)
- Re: QoS and bandwidth throttling in IPSEC networks Arjan Vos (Mar 05)
- <Possible follow-ups>
- Re: QoS and bandwidth throttling in IPSEC networks Eric Vyncke (Mar 05)
- Re: QoS and bandwidth throttling in IPSEC networks TC Wolsey (Mar 06)