Here is a message from Steve Kent who is updating the RFC 2402
IP Authentication Header (AH) about the flow label status.
I have put it in this list for people interested by IPsec but
who have no enough time to read the mailing list...
To summary the question is:
Is the [ipsec] WG comfortable
Speaking as an IPv6 wg member, I am not comfortable with the flow label
being
unprotected. As an immutable field, it should be included in the ICV
calculation.
I have seen several projects started that intend on taking advantage of
RFC 3697.
My main question is how much of an impact would such
I agree with Brian. I'd like to see it protected.
Hesham
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Brian Haberman
Sent: Friday, September 10, 2004 6:50 AM
To: Francis Dupont
Cc: [EMAIL PROTECTED]
Subject: Re: AH and flow label
Speaking as an IPv6
In your previous mail you wrote:
Speaking as an IPv6 wg member, I am not comfortable with the flow label
being unprotected. As an immutable field, it should be included in the
ICV calculation.
= this is the argument which has triggered the question.
I have seen several projects
On Sep 10, 2004, at 11:06, Francis Dupont wrote:
In your previous mail you wrote:
Speaking as an IPv6 wg member, I am not comfortable with the flow
label
being unprotected. As an immutable field, it should be included in
the
ICV calculation.
= this is the argument which has triggered
Francis,
I agree with the drawback you see and it's not ideal.
But I also think the whole flow label story was inconsistent
and we finally have concensus on how we want to use it.
Given the fact that it is immutable, it makes a lot of
sense to protect it.
The benefit depends on the
I would have impact to existing implementations yes it is not part of
the ICV now and should not be.
/jim
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Brian Haberman
Sent: Friday, September 10, 2004 6:50 AM
To: Francis Dupont
Cc: [EMAIL
Francis,
The flow label should not be part of the ICV because it is permitted to
be rewritable enroute as long as it is delivered in tact E2E. I say
keep as it is today. No other comment.
Thanks for asking,
/jim
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
On Fri, 10 Sep 2004, Bound, Jim wrote:
The flow label should not be part of the ICV because it is permitted to
be rewritable enroute as long as it is delivered in tact E2E. I say
keep as it is today. No other comment.
But it won't be possible to verify the AH enroute in any case (or are
you
Right. My question was an attempt to see how many implementations
support IPSec AH today.
We have one that supports IPsec AH for IPv6 and I am pretty sure
that there are many more :)
IETF IPv6 working group mailing list
At 11:37 AM -0400 9/10/04, Bound, Jim wrote:
Francis,
The flow label should not be part of the ICV because it is permitted to
be rewritable enroute as long as it is delivered in tact E2E. I say
keep as it is today. No other comment.
Thanks for asking,
/jim
Jim,
If it is delivered with the same
OK I am worried now. Is there a security hole and potentially serious
problem by not including the Flowlabel in the ICV? We do need to ask
this question and should not ignore it. Then the trade offs can be
determined. But that data and what problem it solves should be fairly
compelling to go
The flow label should not be part of the ICV because it is permitted to
be rewritable enroute as long as it is delivered in tact E2E. I say
keep as it is today. No other comment.
nodes in the middle are also unlikely to be in a position to verify
the ICV.
if it is, in fact, guaranteed to be
In your previous mail you wrote:
For Moonv6 testing we had 6 production implementations of IPsec with
IPv6. Speculation is in early 2005 we will have 11-15. So it has been
implemented for that question and with production code. But how painful
is it to add this to the ICV?
= it
14 matches
Mail list logo