[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) More Endpoint Attributes
Andy,
There is nothing to preclude the continued use of IPSO (etc.).
IPSO is a standards-track IETF protocol, hence appropriate to cite.
CIPSO is not a standards-track IETF protocol and the IETF CIPSO
working group was recently formally disbanded for lack of visible
effort in over a year. Hence CIPSO is not appropriate to cite.
There is text about the need to authenticate explicit labelling
information such as IPSO. There was general agreement fairly early
on in the IPsec WG that explicit labels which lack cryptographic
binding to their packet and lack cryptographic authentication mechanisms
have serious security problems due to the lack of such authentication
mechanisms. Fortunately, use of something like ESP or AH would
address those specific security problems with explicit labelling.
Similarly there is nothing to preclude the continued use of
the (not currently publically documented) TSIG protocols. Again,
those protocols would probably benefit greatly from the availability
of cryptographic security mechanisms in the IP-layer that could
be used to secure those TSIG protocols.
I need to (and will) add text noting that explicit labels similar to
IPSO could be added to IPv6 using either the IPv6 End-to-End Options
Header or using the IPv6 Hop-by-Hop Options header. I will not
attempt to write such specifications as they are outside the scope
of my efforts.
Because the TSIG specs are not in IETF standards-track RFCs, I do not
plan to discuss them specifically or cite them.
Ran
atkinson@itd.nrl.navy.mil
Follow-Ups:
References: