In your previous mail you wrote: > I have seen several projects started that intend on taking > advantage of RFC 3697. > > => note the RFC 3697 explains why the protection of the flow label is > not in fact useful. Can you give more details, for instance are flow > labels used by the destination? Yes, most of these projects expect to use the flow label at the destination.
=> and they expect to use AH end-to-end too? And one of these projects is using it in conjunction with source-routing. => source-routing doesn't change the argument that the intermediate nodes can't check the ICV. > => 100% incompatibility for IPv6/IPsec implementations which support AH > and put a non-zero flow label in packets (i.e., all conformant > implementations :-). Right. My question was an attempt to see how many implementations support IPSec AH today. => all IPv6/IPsec implementations I know (BSDs, Linux 2.6, last Windows, etc). > Can anyone speak to their IPv6/IPSec implementations on this issue? > > => I strongly object to change the current choice (not protecting > the flow label despite it is immutable) for two reasons: > - a change will be incompatible with current implementations Agreed. I don't want to break a lot of implementations. However, my question above on who supports AH today is germane. > - the protection doesn't work on transit routers, i.e., where > the flow label is used. For the transit use, I agree. Destination use is something new. => it should be good to get more infos because AH itself is subject to calls for deprecation based on the facts ESP can be used in place of it in most cases and AH is not very used... Thanks [EMAIL PROTECTED] PS: note there is a possible ugly compromise: protect flow labels only when ESNs (extended sequence numbers, option of the new version of AH) are enabled. This solves the compatibility issue but we should have stronger arguments than "it is prettier to protect flow labels". -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
