> At 2:56 PM -0400 9/10/04, Bound, Jim wrote: > >OK I am worried now. Is there a security hole and potentially serious > >problem by not including the Flowlabel in the ICV? We do need to ask > >this question and should not ignore it. Then the trade offs can be > >determined. But that data and what problem it solves should be fairly > >compelling to go tell product implementors to add it. > > Jim, > > Based on your comments in this message, I think there is some misunderstanding. > > We are not talking about changing AH v1; we are discussing AH v2. To > correctly implement AH v2, one already has to be able to accommodate > 64 bit sequence numbers, vs. the 32 bit sequence numbers in v1. AH v2 > is still an I-D, not an RFC. So, while a change in whether to include > the flow label in the ICV would make v2 not backward compatible with > v1, v2 is already not backward compatible with v1 due to the required > sequence number support difference. > > Does this help?
i want a clarification: are you suggesting that AHv2 (and ESPv3) will have a different protocol number from the current AH/ESP? otherwise we cannot distinguish between AHv2/ESPv3 traffic and old AH/ESP traffic. itojun -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------