On Sep 10, 2004, at 11:06, Francis Dupont wrote:
In your previous mail you wrote:
Speaking as an IPv6 wg member, I am not comfortable with the flow label
being unprotected. As an immutable field, it should be included in the
ICV calculation.
=> this is the argument which has triggered the question.
I have seen several projects started that intend on taking advantage of RFC 3697.
=> note the RFC 3697 explains why the protection of the flow label is not in fact useful. Can you give more details, for instance are flow labels used by the destination?
Yes, most of these projects expect to use the flow label at the destination.
And one of these projects is using it in conjunction with source-routing.
My main question is how much of an impact would such a change have on
the existing IPv6 implementations.
=> 100% incompatibility for IPv6/IPsec implementations which support AH and put a non-zero flow label in packets (i.e., all conformant implementations :-).
Right. My question was an attempt to see how many implementations support IPSec AH today.
Can anyone speak to their IPv6/IPSec implementations on this issue?
=> I strongly object to change the current choice (not protecting the flow label despite it is immutable) for two reasons: - a change will be incompatible with current implementations
Agreed. I don't want to break a lot of implementations. However, my question above on who supports AH today is germane.
- the protection doesn't work on transit routers, i.e., where the flow label is used.
For the transit use, I agree. Destination use is something new.
Regards
[EMAIL PROTECTED]
PS: status quo is compatible with RFC 3697, or with other words, nobody asked when we discussed about the document which became the RFC 3697 for an IPsec protection of the field.
Good point. I think it is still worthwhile to have this discussion even if it leads
to staying with the status quo.
Regards, Brian
smime.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------