Skip to main content

9.2.1.1 The ECN_TUNNEL SA Database Field

9.2.1.1 The ECN_TUNNEL SA Database Field

This document defines a new field in the IPsec Security Association Database (SAD) called ECN_TUNNEL. This field is used to indicate whether ECN functionality is permitted in the outer header of an IPsec tunnel mode SA.

The ECN_TUNNEL field can have the following values:

  • Not permitted: ECN is not permitted in the outer header. The tunnel MUST use the limited-functionality option, setting not-ECT in the outer header regardless of the inner header's ECN field.

  • Permitted: ECN is permitted in the outer header. The tunnel MAY use the full-functionality option, copying the ECN field from the inner header to the outer header (with appropriate modifications as specified in Section 9.1.1).

The ECN_TUNNEL field is set during SA establishment, either through manual configuration or through negotiation using the ECN Tunnel SA attribute (described in the next section).

If the ECN_TUNNEL field is not present or not set in an SA, the default behavior MUST be "not permitted", ensuring backward compatibility with older IPsec implementations.

Security administrators can configure this field based on their assessment of the risks and benefits of using ECN in their IPsec tunnels. In high-security environments where covert channels are a concern, administrators may choose to always set this field to "not permitted".