On Mon, May 19, 2008 at 10:03:00PM -0400, Ken Powell wrote: > TX routers currently verify all packets received from a > multi-label host contains a CIPSO label. Are TX routers > supposed to apply special rules to ike packets they forward?
Perhaps they should, but we can probably count on them not doing so. IKE daemons can probably try to detect routers that don't pass unlabeled IKE packets if need be. > How do they recognize ike traffic as it traverses the network? If they do, they go by port numbers (and ULP -- UDP). > I think it would be better to send ike packets in the same > format (with/without CIPSO header) that will be used for > ciphertext. Is this doable? Is the ciphertext format known > when initiating the ike exchange? That makes sense. For two reasons, if AH/ESP w/o outer CIPSO can pass through multilevel routers then surely so can IKE traffic, and IKE cryptographically protects much (but obviously not all) IKE traffic. > Page 6 Glossary > > Nit: Evince is showing a number at the end of the definition > of each term on my system. Evince does weird things for me too. Nico --
