Bill Sommerfeld wrote: > A revised design document incorporating responses to the comments so > far, plus a glossary of terms used in the document, is now available at: > > http://www.opensolaris.org/os/project/txipsec/Design/phase1-0.4.pdf >
The changes from my previous comments look good. More comments follow: Page 4 Section 5.3 paragraph 3 Nit: remove "will not" from "..label will not be inserted.." Page 4 Section 5.3 paragraph 4 From James Carlson in a previous message on this thread: > This option adds a new case: two label-aware hosts talking to each > other using packets that lack labels. The only other case where we've > had anything like that is with packets that cannot take a label (ARP) > and where the communication is really kernel-to-kernel rather than > user-to-user (NDP). The ARP and NDP cases both involve easily identified packets that are only exchanged with nodes on an attached link. TX routers currently verify all packets received from a multi-label host contains a CIPSO label. Are TX routers supposed to apply special rules to ike packets they forward? How do they recognize ike traffic as it traverses the network? I think it would be better to send ike packets in the same format (with/without CIPSO header) that will be used for ciphertext. Is this doable? Is the ciphertext format known when initiating the ike exchange? Page 6 Glossary Nit: Evince is showing a number at the end of the definition of each term on my system.
