This is the text of hand-written viewgraphs from a presentation on "IPsec Interactions with ECN" by Sally Floyd at the IPsec working group at the Minneapolis IETF, March 1999. ------------------------------------------------------------------ IPsec Interactions with ECN by Sally Floyd, David Black, and K. K. Ramakrishnan (soon to be: draft-ipsec-ecn-00.txt) * URL: http://www.aciri.org/floyd/papers/draft-ipsec-ecn-00.txt * ECN: RFC 2481 ------------------------------------------------------------------ The ECN field in the IP header: * ECN-Capable Transport (ECT) - set by the end node * Congestion Experienced (CE) - set by the router, instead of dropping the packet RFC 2481, Experimental Status ------------------------------------------------------------------ * Current status: - Experiments with ECN can not be used with IPsec, because of interactions between ECN and IPsec tunnel mode. * Proposal: two options for IPsec tunnels - Limited-functionality option. - Full-functionality option. ------------------------------------------------------------------ Limited-functionality option: * The outer header in an IPsec tunnel would always be marked as not-ECN-Capable. * If the packet encounters congestion within the tunnel, it will be dropped. * No added security vulnerabilities. ------------------------------------------------------------------ Full-functionality option: * Outer header in IPsec tunnel can be marked as ECN-Capable. * If congestion is encountered, the packet can be marked instead of dropped. * Security implications are discussed in the internet draft. ------------------------------------------------------------------ Detailed changes to IPsec: * Add a new field, ECN Tunnels Forbidden or Allowed, to the Security Association Database. * Change IPsec Tunnel Header Processing for the ECN field in the IP header. * Add the optional ability for IPsec tunnels to negotiate the use of ECN (a new Security Association Attribute) ------------------------------------------------------------------