IPsec Interactions with ECN

Document Type Expired Internet-Draft (ipsec WG)
Authors Sally Floyd , David Black  , K. Ramakrishnan 
Last updated 1999-12-08
Stream Internet Engineering Task Force (IETF)
Intended RFC status Informational
Expired & archived
pdf htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


IPsec supports secure communication over potentially insecure network components such as intermediate routers. IPsec protocols support two operating modes, transport mode and tunnel mode. Explicit Congestion Notification (ECN) is an experimental addition to the IP architecture that provides notification of onset of congestion to delay- or loss- sensitive applications. ECN provides congestion notifications to enable adaptation to network conditions without the impact of dropped packets [RFC 2481]. The use of two bits in the IPsec header for ECN experimentation conflicts with header processing at IPsec tunnel endpoints in a manner that makes ECN unusable in the presence of IPsec tunnels. This document considers issues related to this conflict, describes two alternative solutions, and updates the IPsec architecture [RFC 2401] to include these alternatives. Support for one or the other of these alternatives is REQUIRED to remove the underlying conflict.


Sally Floyd (floyd@icir.org)
David Black (black_david@emc.com)
K. Ramakrishnan (kkrama@research.att.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)