Hi Bill, > Pointers to review materials can be found at: > > http://www.opensolaris.org/os/project/txipsec/Design/ > > This is an open design review. Please send questions about the > material and review comments to security-discuss at opensolaris.org. >
Section 5.5.2: Could you please explain the rationale for the discrepancy between 1 (wire-label inner) and 3 (wire-label label). In the former, the IKE traffic is sent as ADMIN_LOW and in the latter it is sent at the specified label. Is there an operational reason why this decision was made? Are there any reasons why an admin might want independent control over the IKE traffic's label (or lack thereof) and IPsec traffic's label in both cases? Thanks, Paul
