[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
a missing piece
The IPv6 security protocols are supposed to work host to host or
gateway to gateway. But we haven't specified a protocol for hosts
to use to specify to their security gateways (by which do not necessarily
mean firewalls) what security services are desired. Similarly, we
need a protocol -- an IPv6 header, to be more precise -- by which
the security gateway can (over a nominally-trusted wire) what security
services were in effect for received packets. The former is rather
reminiscent of the IP security label option, though I won't call it
such for fear of reopening a can of worms; the latter has some tricky
aspects, such as stripping out bogus incoming security service headers
and dealing with IP within IP.
--Steve Bellovin
Follow-Ups: