Skip to main content

9.2.1.2 The ECN Tunnel SA Attribute

9.2.1.2 The ECN Tunnel SA Attribute

This document defines a new IPsec Security Association attribute called the ECN Tunnel attribute. This attribute is used during SA negotiation (e.g., with IKE - Internet Key Exchange) to allow tunnel endpoints to negotiate whether ECN functionality will be permitted in the outer header of the tunnel.

The ECN Tunnel attribute is a Basic attribute type as defined in [RFC2407]. It is used in Phase 2 (Quick Mode) exchanges to negotiate ECN support for the SA being established.

The attribute has the following characteristics:

  • Attribute Type: A new value assigned by IANA (see Section 23.3)
  • Format: Basic (fixed-length)
  • Values:
    • 0: ECN not permitted in outer header (limited-functionality option)
    • 1: ECN permitted in outer header (full-functionality option)

When an initiator sends a proposal that includes the ECN Tunnel attribute, it is indicating its willingness to use ECN in the tunnel's outer header. The responder can:

  • Accept the proposal by including the same attribute in its response
  • Reject the attribute by not including it in the response (falling back to the limited-functionality option)

If the ECN Tunnel attribute is not present in a proposal, it means ECN is not permitted in the outer header, and the tunnel MUST use the limited-functionality option.

The use of this attribute is OPTIONAL. Implementations that do not support ECN in IPsec tunnels will simply ignore this attribute, ensuring backward compatibility.