Re: Higher level question about flow label

[Michael Thomas]

Bill Sommerfeld writes:
 > >  > It seems that it would be appropriate for an implementation to
 > >  > "reclassify" packets at the time of encapsulation into ESP -- the
 > >  > packet is, after all, going through a logical trust boundary as it's
 > >  > being encrypted..
 > > 
 > >    If I understand Brian's concern correctly, that may
 > >    not necessarily be the case. The security gateway may
 > >    be on egress from my network and hence controlled by me.
 > ...
 > 
 > >    luserdata------------>SG---------------------->AR
 > >                      (classifies,              (polices
 > >                  remarks dscp,             SLA against
 > >                  encrypts)                 DSCP, remarks)
 > 
 > No, there are two trust boundaries in the above network; the
 > subscriber's is inside SG, and the provider's is inside AR...

   Correct, however I'm not sure why that's pertinent
   to what I wrote. I'm trying to understand why this
   setup is deficient.

            Mike
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------