Skip to main content

23.3 IPsec Security Association Attribute

23.3 IPsec Security Association Attribute

This document defines a new IPsec Security Association attribute for negotiating ECN support in IPsec tunnels, as described in Section 9.2.1.2.

ECN Tunnel Attribute

  • Attribute Name: ECN_TUNNEL
  • Attribute Type: [To be assigned by IANA]
  • Attribute Format: Basic (fixed-length)
  • Attribute Values:
    • 0: ECN not permitted in outer header (limited-functionality option)
    • 1: ECN permitted in outer header (full-functionality option)

This attribute is used during IPsec SA negotiation (e.g., IKE Phase 2 Quick Mode) to allow tunnel endpoints to negotiate whether ECN functionality will be permitted in the outer header of tunnel mode SAs.

The attribute is OPTIONAL. If not present in an SA negotiation, the default behavior is that ECN is not permitted in the outer header (limited-functionality option).

IANA has assigned an attribute type value for this SA attribute from the IPsec Security Association Attributes registry defined in [RFC2407].

This specification updates RFC 2401 [RFC2401] and RFC 2407 [RFC2407] by adding this new SA attribute and modifying the SA Database to include the ECN_TUNNEL field as described in Section 9.2.1.1.

The addition of this attribute provides a mechanism for secure negotiation of ECN usage in IPsec tunnels, allowing security administrators to make informed decisions about ECN deployment based on their security policies.