[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do linux-diffserv and IPSec(FreeS/WAN) are compatible



Hello,

the behavior of IPSec was to copy the DS field from inner to outer IP header when
encapsulating packets until version 1.5 of FreeS/WAN.
This changed in version 1.6 (I think), where the default is now to put a Best Effort
DS field in the outer IP header for all packets, for the sake of security. However, a
new option is available that allows to keep IPSec copying the DS field.

This is then OK for Diffserv, but you must be aware of the anti-replay mechanism of
IPSec that may cause low priority packets that have been -quite strongly- delayed in
the network due to QoS enforcement to be dropped at the receiving IPsec gateway. For
further info, you should read RFC2983.

Heydari wrote:

> Do I can integrate linux-diffserv and ipsec in linux?
> FreeS/WAN is a implementation of IPSec in linux.
> Do tunneling(encapsulating IP packet in other IP packet) hide DS field and create
> problems for diffserv-linux.
> Regards me.