True enough. That's why the SPI may suffice for Intserv flow_specs, but it doesn't help for diffserv classification.
Brian "Perry E. Metzger" wrote: > > There is this myth going around that you can't distinguish ESP traffic > by any external means, but that of course can't be true or you > couldn't figure out which keys to use to decrypt the traffic. The SPI > distinguishes the use of a particular keyset, and our usual dogma in > the IPSEC world is that you should try to avoid re-using keys across > flows, so in fact ESP traffic is not opaque for purposes of > distinguishing flows. The SPI will generally represent a flow (except > in the VPN case which has a myriad of its own problems.) > > -- > Perry E. Metzger [EMAIL PROTECTED] > -- > NetBSD Development, Support & CDs. http://www.wasabisystems.com/ -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
