On Dec 10, 2009, at 2:57 PM, Bill Sommerfeld wrote:
> On Wed, 2009-12-09 at 12:29 -0800, Jarrett Lu wrote:
>> I could be wrong here. I thought the opaque blob is passed as pay load
>> in IKE exchange, not as IP option in the header.
>
> There are multiple places where labels could appear on a packet by
> packet basis:
>
> a) explicitly in each packet outside encryption
> b) explicitly in each packet inside encryption
> c) implicitly (as an attribute of the security association)
>
> any router forwarding the packet which doesn't have the encryption key
> should not be able to tell the difference between (b) and (c).
>
> In all three cases, labels could also be part of the key management
> protocol; in case (c) that's the only place they appear in a wire
> protocol.
>
> when I implemented the labeled IPsec now in solaris development builds,
> I found that (c) was the simplest piece of the implementation -- there's
> no per-packet on-the-wire protocol change.
Yes. In fact, if I recall correctly, the WG explicitly agreed many years ago,
back when we adopted the IPsec v2 standards, that this was our preferred
approach. I also don't understand why why labels in the cleartext portion do
any more good than putting it in the SA, since routers can't verify it without
a lot of trouble.
Having a security label between the host and and IPsec gateways is another
matter -- that would be interesting indeed.
>
> I think labeled IPsec is a large enough problem space that it could keep
> an entire working group busy.
Right -- and to what end?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
