On Dec 7, 2009, at 5:26 PM, Paul Moore wrote: > On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote: >> Paul, >> >> From your comments it seems as though an IP option would be >> preferable, as it is not IP-sec-specific, and it an be protected if >> needed, in the IPSec context, e.g., via tunneling. > > Exactly. Since the option would be immutable it could also be protected with > AH allowing for intermediate nodes to apply security policy based on the > label.
Not really, because the the intermediate nodes probably don't have the key necessary to verify the label. > Although I do understand AH is falling out of favor. I certainly hope so... --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec