[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
I would support the concern that Greg raised.
There is an increased use of finer-grained traffic classification, in
which port numbers play a role.
It is true that, for maximum security, this information may want to be
hidden. Greg recognized that in his suggestion that the port number
copy in the security header could be supplied as all zero.
If the port number is concealed (either with IPSec as it is currently
defined, or with zeroed port numbers in Greg's suggestion) then a
traffic classifier would have no port information and would have to
classify all that traffic as "other" or "unknown application". This
may be acceptable in many cases.
By creating an *option* of supplying port information to the
classifier, it allows a user to give up a small amount of security and
gain the benefit of being classified into a different traffic category
that has different (presumably better) service. I believe this is a
valuable option.
Paul Koning
Xedia Corporation
Follow-Ups:
References: