Having read the whole thread, I can't see any convincing reason to include the flow label in AH.
Apart from the arguments already expressed, what do we do if AH fails because of a changed flow label? We discard the packet instead of delivering it. Does that improve QOS? I don't *think* so. On the contrary, it creates a trivial new DoS attack.
Brian
Francis Dupont wrote:
Here is a message from Steve Kent who is updating the RFC 2402 "IP Authentication Header (AH)" about the flow label status. I have put it in this list for people interested by IPsec but who have no enough time to read the mailing list... To summary the question is:
Is the [ipsec] WG comfortable with the status quo, i.e., NOT including the flow label in the ICV [integrity check value], despite the fact that it
is immutable?
[EMAIL PROTECTED]
PS: of course my opinion is we have to keep the status quo and the decision is in the scope (i.e., hands?) of the ipv6 WG.
------------------------------------------------------------------------
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------