On Dec 7, 2009, at 5:26 PM, Paul Moore wrote:
> On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote:
>> Paul,
>>
>> From your comments it seems as though an IP option would be
>> preferable, as it is not IP-sec-specific, and it an be protected if
>> needed, in the IPSec context, e.g., via tunneling.
>
> Exactly. Since the option would be immutable it could also be protected with
> AH allowing for intermediate nodes to apply security policy based on the
> label.
Not really, because the the intermediate nodes probably don't have the key
necessary to verify the label.
> Although I do understand AH is falling out of favor.
I certainly hope so...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
