In your previous mail you wrote: For Moonv6 testing we had 6 production implementations of IPsec with IPv6. Speculation is in early 2005 we will have 11-15. So it has been implemented for that question and with production code. But how painful is it to add this to the ICV?
=> it is very easy, i.e., some lines of code to change. The issue is two implementations doing a different choice are incompatible in an invisible way: AH will become strictly unusable for years, even for people asking the protection of the flow label field. The issue is at the virtual IP layer and then in the SA database and of course the actual ICV. If implementors had to do it then we would need to be able to identify Ipsec with and without for that in process. => the IPsec WG tried to make new version of IPsec compatible with the old one, i.e., AH and ESP v1 are compatible with AH and ESP v2. Here we are talking about to make AH v3 not compatible with AH v2 for IPv6 without concrete benefit. Regards [EMAIL PROTECTED] PS: IMHO this is like the idea to put the destination address first: clearly it is a better choice but it was proposed a bit too late... -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------