[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Deprecation of AH header from the IPSEC tool kit
> From: John Ioannidis [mailto:ji@research.att.com]
>
> > about Security Policy a coworker and I came across a
> requirement for IPSO
> > (RFC1108) U.S. Department of Defense Security Options for
> the Internet
>
> In the presence of IPsec, IPSO (and CIPSO and stuff) are
> redundant. One
> can achieve the same effect by proper interpretation of SAs.
> Any system
> capable of verifying the AH header (so it can authenticate the IPSO)
> can simply make policy decisions based on the SA.
>
> /ji
The security label can be used to select the SA in the first place.
Chris