-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sam Hartman wrote:
"Joe" == Joe Touch <touch(_at_)ISI(_dot_)EDU> writes:
Joe> I was wondering about that; it seems inconsistent to have
Joe> this document require something that is optional in RFC 4301.
I suspect you realize this, but some people following the discussion
may not. It's critical to this mechanism that intermediate systems be
able to read the sensitivity level. You can either do hop-by-hop SAs
using either ESP-null or AH, or end-to-end SAs using AH or ESP/null
plus one of the fixes so you can determine that a packet is ESP-null
rather than ESP-encrypted. Note that if you are talking about
end-to-end SAs you need to either explain why the intermediate systems
don't need to be able to confirm the integrity of the label, or you
need to address Steve Bellovin's concerns.
Hi, Sam,
Thanks for pointing that out. The issue, AFAICT, is how to achieve the
required transparency while relying on (as much as possible) only
protocols that are MUSTs, rather than MAYs.
Perhaps that's less of an issue for this system, but I would hate to
have it depend on IPsec devices that implemented a MAY.
Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjlUNMACgkQE5f5cImnZrtJEgCghWYeCC7flc8lHvjh4r+j963A
3CsAnRAOyGF7jSYVzoGV5h9WMIMQtao+
=pogB
-----END PGP SIGNATURE-----
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf