Brian: Joel reminds me, in private email, that nobody seems to be commenting on you original question, which has to do with covert channels and whether that should affect the discussion of flow labels.
Here's a covert channel for you. I was at an agency last year that uses specialized mail services, the kind that (for the right email under the right circumstances) might decide to deliver a certain email to a set of persons within a stated period of time. They basically really wanted to have the service, but didn't want to have to upgrade their very special version of a mail system to mark DSCPs - at most, they wanted to reconfigure the mail server. I asked them if the equipment they used could support a second NIC; yes. I asked them if they could configure their email rules to send using one interface in the "routine" case and the other in the "flash" case; yes. I pointed out that if they were to do so, on the router in front of the server, I could, with an ACL, mark the DSCP for them. My sales guy commented that I wasn't helping him sell a fancy bit of gear. In this case, the IP Source Address contains a covert channel; certain kinds of email transactions can be identified by their source address. Hmm. Should we allow source addresses through security gear? What crazy implications might there be regarding such covert channels? I think the covert channel question is a red herring. Yes, creative people can do creative things. And the point is...? Fred -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
