[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on IPSO and AH/ESP
> One obvious problem with encapsulation is that if IPSO is in the inner
> packet, it can't easily be examined by the routers to perform
> filtering as routers do right now. This means the same
> interoperability issues with the status quo will also exist in this
> case.
>
Why not have the IPSO option appear in BOTH IP headers. The
encapsulated one to be signed and the real IP header to be
looked at by the router. Now someone could change the IPSO
in the real header so that the router would do something
unnatural to it but unless you are expecting the router to
understand IPSEC and authenticate the header (which requires
that it know about IPSEC anyway and hence could compare the
copies of the IPSO fields to see if they match) this is not
an issue. At this point saving bits are the least of our
problems.
Sean O'Malley
Follow-Ups:
References: