LARTC - Dec 2004 - Re: interesting expert problem - shaping over VPN

hi trevor,

well, if you''re controlling whats going over the vpn then there are
several options:

i''ve been playing with racoon lately (well longer then with freeswan)
so
i''m not so sure with ipsec, but ... it appears that the meta-data (
i.e.
packet marking) is perserved on packets that have not yet been encrypted
but are going to be.

as a general strategy, i would mark packets with different marks
depending on what the payload is -- maybe something like 0x1 for voice,
0x2 for smtp, etc.

then use these marks on the public interface to egress them towards the
internet in the highest priority.

mark the inbound packets coming off the internet (once they''ve been
decrypted) and place them in highest priority (depending on their type)

this wouldn''t be too bad -- in fact it''s about all you can do.

Alternatively, and with more complexity, open up several tunnels with
different spi''s -- pass traffic into tunnel by type -- this would allow
you to know what an encrypted packet was carrying without having to
decrypt it. cool, but i''m not sure that it would help much.

anyone else done this??? tcng files are great (hint :-)

cheers

charles

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/