Francis Dupont wrote:
>
> [...]
>
> Alex's idea of using "server port number" is in fact
> interesting, since it would allow you to classify traffic
> on its original well-known port #, without having to rely
> on dynamically assigned port #s for classification.
>
> => I don't like the idea to have an official cover-channel
> with the flow label: security people won't buy this.
> They'd like to hide things then they can express their policy
> (ie. what they accept to reveal) into the SPD then the choice
> of SPIs...
>
Francis,
If I understand you correctly, you think it is not good to have the
flow-label carry "in clear" information which is also carried in parts
of the
transport header, which is hidden through encryption.
Well, the source and destination, are in clear.... But, if one wants to
protect
the flow label, then the packet can be encrypted in tunnel mode, to hide
everything in the IPv6 maim header.
Alex
S/MIME Cryptographic Signature
