On Monday 07 December 2009 11:59:51 pm Steven Bellovin wrote: > On Dec 7, 2009, at 5:26 PM, Paul Moore wrote: > > On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote: > >> Paul, > >> > >> From your comments it seems as though an IP option would be > >> preferable, as it is not IP-sec-specific, and it an be protected if > >> needed, in the IPSec context, e.g., via tunneling. > > > > Exactly. Since the option would be immutable it could also be protected > > with AH allowing for intermediate nodes to apply security policy based on > > the label. > > Not really, because the the intermediate nodes probably don't have the key > necessary to verify the label.
Yes, my mistake. While the security label would be visible to intermediate nodes they would have no way to verify the integrity of the label. -- paul moore linux @ hp _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
