> If I am reclassifying traffic at an administrative boundary then by
> definition I don't care about or trust the "QoS information" in the
> packet as anything more than a hint which I am free to ignore (depending
> on the TCS I have with the upstream network). When crossing security
> boundaries the only field which I am reasonably safe to trust is the
> destination address.
yes, exactly. there's no point in putting cleartext port numbers in
headers; moreover, even if they were somehow required to transit the
network, there would be a strong incentive for cooperating IPsec
implementations to include deliberately incorrect port numbers to
reduce the amount of information available for traffic analysis.
So, I'm afraid that in the long run any "cleartext port numbers" field
would have to be treated at administrative boundaries with the same
level of suspicion as the diffserv code point..
> Protocol/port filtering only makes sense within an enterprise
> network or at the access provider's edge.
And it only makes sense at the access provider's edge if the customer
is silly enough to send traffic in the clear..
- Bill
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
