Re: AH and flow label

Fri, 10 Sep 2004 08:55:27 -0700 


On Sep 10, 2004, at 11:06, Francis Dupont wrote:

 In your previous mail you wrote:

Speaking as an IPv6 wg member, I am not comfortable with the flow label
being unprotected. As an immutable field, it should be included in the
ICV calculation.

=> this is the argument which has triggered the question.

   I have seen several projects started that intend on taking
   advantage of RFC 3697.

=> note the RFC 3697 explains why the protection of the flow label is
not in fact useful. Can you give more details, for instance are flow
labels used by the destination?

Yes, most of these projects expect to use the flow label at the destination.
And one of these projects is using it in conjunction with source-routing.


My main question is how much of an impact would such a change have on
the existing IPv6 implementations.

=> 100% incompatibility for IPv6/IPsec implementations which support AH
and put a non-zero flow label in packets (i.e., all conformant
implementations :-).


Right.  My question was an attempt to see how many implementations
support IPSec AH today.


   Can anyone speak to their IPv6/IPSec implementations on this issue?

=> I strongly object to change the current choice (not protecting
the flow label despite it is immutable) for two reasons:
 - a change will be incompatible with current implementations


Agreed.  I don't want to break a lot of implementations.  However, my
question above on who supports AH today is germane.

 - the protection doesn't work on transit routers, i.e., where
   the flow label is used.


For the transit use, I agree.  Destination use is something new.


Regards

[EMAIL PROTECTED]

PS: status quo is compatible with RFC 3697, or with other words, nobody
asked when we discussed about the document which became the RFC 3697
for an IPsec protection of the field.

Good point. I think it is still worthwhile to have this discussion even if it leads
to staying with the status quo.

Regards,
Brian

Attachment: smime.p7s
Description: S/MIME cryptographic signature

--------------------------------------------------------------------
IETF IPv6 working group mailing list
[EMAIL PROTECTED]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to