Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 02 May 2001 14:38:38 +0900
From:      Kenjiro Cho <kjc@csl.sony.co.jp>
To:        gunther@aurora.regenstrief.org
Cc:        snap-users@kame.net, freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au, altq@csl.sony.co.jp
Subject:   Re: [altq 806] The future of ALTQ, IPsec & IPFILTER playing together ...
Message-ID:  <20010502143838P.kjc@csl.sony.co.jp>
In-Reply-To: <3AEEEE79.8F7CC7B0@aurora.regenstrief.org>
References:  <3AEEEE79.8F7CC7B0@aurora.regenstrief.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Gunther Schadow wrote:
> However, I understand that ALTQ works in the data link layer at
> the interface to the NIC. IPsec, however, works above that layer,
> even before the IPFILTER rules (on outgoing packets.) So, we have
> the following "pipe"
> 
>    IPSEC -----> IPFILTER -------> ALTQ
> 
> the problem is that ALTQ will only see IPSEC ESP packets. So, 
> all the properties of the payload packets that allow me to 
> define the ALTQ classes are now encapsulated in ESP and thus 
> invisible to the ALTQ classifier.

In general, we don't recommend to use tunnels since it introduces too
much complexity and, as itojun said, there's no single solution for
all possible combinations.

For your requirements, it seems simpler to apply TOS marking
beforehand.
The TOS field of the IP header is available to the ALTQ classifier
even with ESP both in the transport mode and the tunnel mode.
(this is what diffserv is all about.)
You can mark the TOS (or IPv6 traffic class) field either by
 - an application using setsockopt(2)
or
 - a diffserv traffic conditioner on the ingress interface
   (you will need another box for this)

Regarding classifier implementations,
Jason Thorpe and his colleagues at Zembu are working on a generic
programable classifer based on the BPF language.
I'd like to merge it into ALTQ when it becomes available.

-Kenjiro

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010502143838P.kjc>