On Thu, 2008-05-15 at 12:11 -0700, Jan Parcel wrote:
> The assumption that things are under single administration is a huge problem
> for my customers.
this limitation exists to allow us to quickly deliver the core
technology first -- we will be able to loosen this over time but we need
to take some baby steps first.
> The whole point of all this protection and security
> and labeling is the post-9/11 requirements for cooperation BETWEEN
> administrative departments, which means each one wants to gate between
> themselves and others. So General Dynamics wants to be able to
> REQUIRE labels partway through the route, and delete them later.
the assumption in the initial stage is that a pair of systems that
communicate with each other using multiple labels will be under common
administration to coordinate label encodings, etc.;
if a gateway is stripping labels in the middle of the path then I assume
you're not using multiple labels between that pair of communicating ip
addresses. in that case, you'll need sufficient coordination between
the administrators to establish ipsec authentication but not much more
than that.
> Implicit labeling needs to be done carefully or be able to be turned off.
If you don't enable it in the IKE config file (which lives in the global
zone..), it won't be used.
- Bill
