For a router to trust a label in the hop-by-hop header, it has to either
*believe* the packet is authentic (packet coming in through an interface
connected to a highly secured network), or it is the other end (dst) of an
AH AS protecting the labeled packet.
Here is an example:
Secure (trusted) Unsecure network Secure network
network (non trustworthy)
/------\ //----\\ /------\
| | | | | |
Host1 --| |-- SGW1--| | --SGW2--| |--- Host2
| | | | | |
\------/ \\----// \------/
The security policy requires that data at certain labels follow certain paths
inside the secure networks, and that it is offered a certain protection when
travelling through untrusted clouds. The inside routers in the trusted networks
will use the label for trusted routing. Edge routers SGW1 & SGW2 MUST use an AH
SA
If confidentiality is required, An additional AH ESP between Host1 and Host2
can be used.
Kais.
>>
>>My understanding of the draft was that, one of the goals is for intervening
>>routers to be able to make routing decisions based on the contents of the
>>security label (Section 3.4):
>>
>> A router needs to trust the authenticity and integrity of a
>> packet before making routing decision based on the content of its
>> label.
>>
>>The proposal is to permit security labels in Hop-By-Hop Extension Headers,
>>which (if I remember correctly) are only protected by AH.
>>
>>This would seem to require AH.
>
>But intermediate routers don't have the keys to verify the AH header.
>
> --Steve Bellovin, http://www.research.att.com/~smb
>
>
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------