> At 2:56 PM -0400 9/10/04, Bound, Jim wrote:
> >OK I am worried now. Is there a security hole and potentially serious
> >problem by not including the Flowlabel in the ICV? We do need to ask
> >this question and should not ignore it. Then the trade offs can be
> >determined. But that data and what problem it solves should be fairly
> >compelling to go tell product implementors to add it.
>
> Jim,
>
> Based on your comments in this message, I think there is some misunderstanding.
>
> We are not talking about changing AH v1; we are discussing AH v2. To
> correctly implement AH v2, one already has to be able to accommodate
> 64 bit sequence numbers, vs. the 32 bit sequence numbers in v1. AH v2
> is still an I-D, not an RFC. So, while a change in whether to include
> the flow label in the ICV would make v2 not backward compatible with
> v1, v2 is already not backward compatible with v1 due to the required
> sequence number support difference.
>
> Does this help?
i want a clarification:
are you suggesting that AHv2 (and ESPv3) will have a different protocol
number from the current AH/ESP? otherwise we cannot distinguish
between AHv2/ESPv3 traffic and old AH/ESP traffic.
itojun
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[EMAIL PROTECTED]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
