Tero, On Mon, Nov 16, 2009 at 6:39 PM, Tero Kivinen <kivi...@iki.fi> wrote: > Bhatia, Manav (Manav) writes: >> And the reason why you might want to use WESP is to prioritize >> certain protocol packets over the others, as is normally done for v4 >> control packets (e.g. OSPFv3 HELLOs and ACKs over other OSPFv3 >> packets) > > You cannot do that, as if the packets get reordered more than what is > the replay window size of the responder, then older packets will get > dropped. If you want to do QoS you need to use multiple IPsec SAs each > carrying only one traffic for one QoS level.
Since processing of the sequence number fields is at the discretion of the receiver, it can always elect not to enable the anti-replay service for a specific SA for which it needs to prioritize certain packets. Also if the keys have been manually distributed, which would most probably happen if WESP is being used as a standalone protocol then compliant implementations SHOULD NOT provide anti-replay service. In addition to this, we are discussing a multi-sender SA in which case replay protection is anyways NOT recommended. Sriram _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
