[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Part Two: IPv4 Options We Can't Handle



Craig Metz writes:
> 	There are thousands of real users of IPSO right now who would not
> agree with your statement that IPv4 options need not be protected. The same
> security-conscious sites that use IPSO and CIPSO right now are a significant
> portion of IPsec's potential user base. Failing to deliver on what could be
> their main requirement for IPsec will NOT make them happy, will NOT cause
> them to buy into IPsec, and will NOT help IPsec's deployment.
> 
> 	To me, IPSO/CIPSO is a harsh market reality that IPsec must face.
> The good news here is that, because they are invariant [or BETTER BE ;)],
> protecting them with AH is tractable.

I agree that protecting security options with the AH is desirable, but
how do we do it in the face of existing IPv4 routers that reorder
options?  Sort them before calculating the AH?  (only .5 :-)