My understanding of the draft was that, one of the goals is for intervening routers to be able to make routing decisions based on the contents of the security label (Section 3.4): A router needs to trust the authenticity and integrity of a packet before making routing decision based on the content of its label. The proposal is to permit security labels in Hop-By-Hop Extension Headers, which (if I remember correctly) are only protected by AH. This would seem to require AH. Best Regards, Joseph D. Harwood [EMAIL PROTECTED] www.vesta-corp.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 01, 2001 11:27 AM > To: Kais Belgaied > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: Internet Draft for explicit security labels in IPv6. > > > In message <[EMAIL PROTECTED]>, Kais > Belgaied writes: > >It mandates a guarantee that the label on the IPv6 is authentic > before trustin > >g > >it. In a link-local scope, where the label is proposed to be > carried in the > >destination header, ESP is mandatory and sufficient. > >On a wider scope, AH is necessary. > > Or it could be bound to the certificate and recreated at the far end. > > > >Kais. > > > > > >This sounds like it mandates the use of AH, is that correct? > > > > > >Best Regards, > > >Joseph D. Harwood > > >[EMAIL PROTECTED] > > >www.vesta-corp.com > > > > > >> -----Original Message----- > > >> From: [EMAIL PROTECTED] > > >> [mailto:[EMAIL PROTECTED]]On Behalf Of Kais Belgaied > > >> Sent: Wednesday, February 28, 2001 7:18 PM > > >> To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > >> Subject: Internet Draft for explicit security labels in IPv6. > > >> > > >> > > >> Greetings, > > >> > > >> IPv4 had IPSO and CIPSO for labeling of packets assuming > we're operating > > >> within the premises of a trusted infrastructure. > > >> IPv6 only has the implicit labeling by having different > IPsec SAs convey > > >> different labels. > > >> We think there is a need to have explicit labels in IPv6, > whether or not > > >> IPsec is used. > > >> > > >> Please see draft-belgaied-ipv6-lsopt-00.txt > > >> > > >> http://www.ietf.org/internet-drafts/draft-belgaied-ipv6-lsopt-00.txt > > >> > > >> > > >> Regards, > > >> Kais. > > >> > > >> > > >> > > > > > > > > > --Steve Bellovin, http://www.research.att.com/~smb > > >
BEGIN:VCARD VERSION:2.1 N:Harwood;Joseph;D. FN:Joseph D. Harwood ORG:Vesta Corporation ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054 LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, = CA 95054 URL: URL:http://www.vesta-corp.com EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20001011T162328Z END:VCARD
