9.2.1.2 The ECN Tunnel SA Attribute
9.2.1.2 The ECN Tunnel SA Attribute
This document defines a new IPsec Security Association attribute called the ECN Tunnel attribute. This attribute is used during SA negotiation (e.g., with IKE - Internet Key Exchange) to allow tunnel endpoints to negotiate whether ECN functionality will be permitted in the outer header of the tunnel.
The ECN Tunnel attribute is a Basic attribute type as defined in [RFC2407]. It is used in Phase 2 (Quick Mode) exchanges to negotiate ECN support for the SA being established.
The attribute has the following characteristics:
- Attribute Type: A new value assigned by IANA (see Section 23.3)
- Format: Basic (fixed-length)
- Values:
- 0: ECN not permitted in outer header (limited-functionality option)
- 1: ECN permitted in outer header (full-functionality option)
When an initiator sends a proposal that includes the ECN Tunnel attribute, it is indicating its willingness to use ECN in the tunnel's outer header. The responder can:
- Accept the proposal by including the same attribute in its response
- Reject the attribute by not including it in the response (falling back to the limited-functionality option)
If the ECN Tunnel attribute is not present in a proposal, it means ECN is not permitted in the outer header, and the tunnel MUST use the limited-functionality option.
The use of this attribute is OPTIONAL. Implementations that do not support ECN in IPsec tunnels will simply ignore this attribute, ensuring backward compatibility.