<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div>Hello,</div>
<div> </div>
<div>Foremost we want you to know that we appreciate strongSwan a lot, and we congratulate you for this software. </div>
<div>This is very useful and we particularly appreciate your automated test suites.</div>
<div> </div>
<div>As part of QoS measurement on Cisco routers, we decided to check on your testing environment the behavior of the DSCP field through IPSec hosts referring to the appropriate RFCs. </div>
<div>The DSCP values are totally arbitrary in our tests. In order to complete your test suites we share our own test scenarios hoping that they may interest you. We launched and passed them with strongSwan 4.6.2 and 4.6.3.</div>
<div> </div>
<div>There are 7 test scenarios that we introduce you below. In order to simplify the explanations we call A and B the concerned hosts and G the gateway between them.</div>
<div> </div>
<div>1° It is a simple ping between A and B via G. </div>
<div> No IPSec, no iptables rules. </div>
<div> It checks that the value of the DSCP field is 0 (by default).</div>
<div> </div>
<div>2° It is a ping between A and B via G. </div>
<div> No IPSec. Iptables rule for A : the DSCP field of its outbound ICMP packets is 1.</div>
<div> It checks the ToS field of the ICMP packets between A and B is 4 : <i>bits 7-2 of the IPv4 header ToS octet represent the DSCP field (RFC 2474) and bits 1-0 are 0 by default so we have the relation ToS=DSCP*4 with DSCP in decimal form.</i></div>
<div> </div>
<div>3° It is a ping from A to B through an IPSec tunnel between A and G. Tunnel mode is used.</div>
<div> Iptables rule for A : the DSCP field of its outbound ICMP packets is 2.</div>
<div> It checks :</div>
<div> - the established tunnel ;</div>
<div> - the ToS field of the ICMP packets is 8 ;</div>
<div><font face="Courier New, monospace" size="2"><i> </i><font face="Calibri, sans-serif" size="2">- the DSCP field of the ESP packets is copied from their inner header : </font><font face="Calibri, sans-serif" size="2"><i>"</i></font><font face="Calibri, sans-serif" size="2"><i>IPv4
-- Header Construction for Tunnel Mode</i></font></font></div>
<div> </div>
<div><i> <-- How Outer Hdr Relates to Inner Hdr --></i></div>
<div><i> Outer Hdr at Inner Hdr at</i></div>
<div><i> IPv4 Encapsulator Decapsulator</i></div>
<div><i> Header fields: -------------------- ------------</i></div>
<div><i> (…) </i></div>
<div><i> TOS copied from inner hdr (5) no change "</i> (RFC 2401, paragraph 5.1.2.1).</div>
<div> </div>
<div>4° Two IPSec tunnels are defined between A and G. Two traffics (ICMP and HTTP) are generated between A and B, with 2 different values for the DSCP field. Tunnel mode is used.</div>
<div> Iptables rules for A : the DSCP field of its outbound ICMP packets is 3 and the one of its TCP-based HTTP packets is 1.</div>
<div> It checks :</div>
<div> - the established tunnel ; </div>
<div> - the ToS fields of the packets are the one imposed previously (the DSCP field of the TCP-based HTTP packets sent by B are 0 since B entered no iptables rule) ;</div>
<div> - the DSCP field of the ESP packets is taken from their inner header.</div>
<div> </div>
<div>5° Same as 4° but here the DSCP field of the ESP packets is forced to 2.</div>
<div> </div>
<div>6° Same as 4° but here B enters an iptables rule too : the DSCP field of its outbound TCP-based HTTP packets is 1 so that the goings and comings TCP-based http packets between A and B have the same DSCP field value.</div>
<div> </div>
<div>7° Same as 6° but in transport mode.</div>
<div> </div>
<div>We want you to know that we also added a little modification in the script <i>do-tests.in</i>. This modification concerns only our tests dscp/*. In fact for these scenarios, verbose mode is necessary for the command tcpdump to check the ToS field. We also
restricted the flow to ICMP, ESP, HTTP and we rejected the flow towards winnetou, in order to have moderate tcpdump captures .</div>
<div><font color="#1F497D"> </font></div>
<div>The tarball of our git tree containing only the directory of our test scenarios (named "dscp") and the modified script <i>do-tests.in</i> is attached. </div>
<div> </div>
<div>You just have to extract it with the command <i>tar xvjf dscp_tests.tar.bz2</i><font color="#1F497D"><i>,</i></font><i> </i>then the directory <i>testing/tests/dscp</i> and the script <i>testing/do-tests.in</i> will be installed. Finally you can launch
the tests as usual.</div>
<div> </div>
<div>Andreas, would it be possible for you to integrate our tests in the main stream test serie ?</div>
<div> </div>
<div>Best regards,</div>
<div> </div>
<div>Jean-Marc & Stephanie</div>
<div> </div>
<div> </div>
<div><font size="2">--<font face="Times New Roman, serif"> </font></font></div>
<div><a href="mailto:Jean-Marc.LACROIX@fr.thalesgroup.com"><font face="Consolas, monospace" size="2" color="#0000FF"><u>Jean-Marc.LACROIX@fr.thalesgroup.com</u></font></a></div>
<div><font face="Consolas, monospace" size="2">THALES Communications</font></div>
<div><font face="Consolas, monospace" size="2">160 Bd de Valmy, 92704 Colombes</font></div>
<div><font face="Consolas, monospace" size="2">DSC/FR/OPS/SAT/T&A</font></div>
<div><font face="Consolas, monospace" size="2">Tel : +33 (0)1 41 30 22 85</font></div>
<div><font face="Consolas, monospace" size="2">Gsm : +33 (0)6 82 29 98 66</font></div>
<div><font face="Consolas, monospace" size="2">Fax : +33 (0)1 41 30 31 71</font></div>
<div> </div>
<div> </div>
<div> </div>
</font>
</body>
</html>