OK I am worried now. Is there a security hole and potentially serious problem by not including the Flowlabel in the ICV? We do need to ask this question and should not ignore it. Then the trade offs can be determined. But that data and what problem it solves should be fairly compelling to go tell product implementors to add it.
Thanks /jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Francis Dupont > Sent: Friday, September 10, 2004 11:06 AM > To: Brian Haberman > Cc: [EMAIL PROTECTED] > Subject: Re: AH and flow label > > In your previous mail you wrote: > > Speaking as an IPv6 wg member, I am not comfortable with > the flow label > being unprotected. As an immutable field, it should be > included in the > ICV calculation. > > => this is the argument which has triggered the question. > > I have seen several projects started that intend on taking > advantage of RFC 3697. > > => note the RFC 3697 explains why the protection of the flow > label is not in fact useful. Can you give more details, for > instance are flow labels used by the destination? > > My main question is how much of an impact would such a > change have on > the existing IPv6 implementations. > > => 100% incompatibility for IPv6/IPsec implementations which > support AH and put a non-zero flow label in packets (i.e., > all conformant implementations :-). > > Can anyone speak to their IPv6/IPSec implementations on this issue? > > => I strongly object to change the current choice (not > protecting the flow label despite it is immutable) for two reasons: > - a change will be incompatible with current implementations > - the protection doesn't work on transit routers, i.e., where > the flow label is used. > > Regards > > [EMAIL PROTECTED] > > PS: status quo is compatible with RFC 3697, or with other > words, nobody asked when we discussed about the document > which became the RFC 3697 for an IPsec protection of the field. > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [EMAIL PROTECTED] > Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
