On Wed, 2009-12-09 at 12:29 -0800, Jarrett Lu wrote:
> I could be wrong here. I thought the opaque blob is passed as pay load
> in IKE exchange, not as IP option in the header.
There are multiple places where labels could appear on a packet by
packet basis:
a) explicitly in each packet outside encryption
b) explicitly in each packet inside encryption
c) implicitly (as an attribute of the security association)
any router forwarding the packet which doesn't have the encryption key
should not be able to tell the difference between (b) and (c).
In all three cases, labels could also be part of the key management
protocol; in case (c) that's the only place they appear in a wire
protocol.
when I implemented the labeled IPsec now in solaris development builds,
I found that (c) was the simplest piece of the implementation -- there's
no per-packet on-the-wire protocol change.
I think labeled IPsec is a large enough problem space that it could keep
an entire working group busy.
- Bill
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
