> At 2:56 PM -0400 9/10/04, Bound, Jim wrote:>OK I am worried now. Is there a security hole and potentially serious >problem by not including the Flowlabel in the ICV? We do need to ask >this question and should not ignore it. Then the trade offs can be >determined. But that data and what problem it solves should be fairly >compelling to go tell product implementors to add it.
Jim,
Based on your comments in this message, I think there is some misunderstanding.
We are not talking about changing AH v1; we are discussing AH v2. To correctly implement AH v2, one already has to be able to accommodate 64 bit sequence numbers, vs. the 32 bit sequence numbers in v1. AH v2 is still an I-D, not an RFC. So, while a change in whether to include the flow label in the ICV would make v2 not backward compatible with v1, v2 is already not backward compatible with v1 due to the required sequence number support difference.
Does this help?
i want a clarification: are you suggesting that AHv2 (and ESPv3) will have a different protocol number from the current AH/ESP? otherwise we cannot distinguish between AHv2/ESPv3 traffic and old AH/ESP traffic.
itojun
The same protocol number is used in the old and new versions. You can tell, based on IKE negotiation, whether the larger sequence number space is to be used, but that is the only way to distinguish the old vs. the new versions. Presumably if one manually configures SAs, then one has to coordinate the versions as well as all the other parameters.
Steve
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
