[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Internet Draft for explicit security labels in IPv6.

To: <smb@research.att.com>, "Kais Belgaied" <kais@domus.ebay.sun.com>
Subject: RE: Internet Draft for explicit security labels in IPv6.
From: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Date: Thu, 1 Mar 2001 11:48:16 -0800
Cc: <ipng@sunroof.eng.sun.com>, <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <20010301192729.3FF2F35C42@berkshire.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

My understanding of the draft was that, one of the goals is for intervening
routers to be able to make routing decisions based on the contents of the
security label (Section 3.4):

   A router needs to trust the authenticity and integrity of a
   packet before making routing decision based on the content of its
   label.

The proposal is to permit security labels in Hop-By-Hop Extension Headers,
which (if I remember correctly) are only protected by AH.

This would seem to require AH.

Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com

> -----Original Message-----
> From: smb@research.att.com [mailto:smb@research.att.com]
> Sent: Thursday, March 01, 2001 11:27 AM
> To: Kais Belgaied
> Cc: ipng@sunroof.eng.sun.com; ipsec@lists.tislabs.com;
> jharwood@vesta-corp.com
> Subject: Re: Internet Draft for explicit security labels in IPv6.
>
>
> In message <200103011857.KAA10956@domus.ebay.sun.com>, Kais
> Belgaied writes:
> >It mandates a guarantee that the label on the IPv6 is authentic
> before trustin
> >g
> >it. In a link-local scope, where the label is proposed to be
> carried in the
> >destination header, ESP is mandatory and sufficient.
> >On a wider scope, AH is necessary.
>
> Or it could be bound to the certificate and recreated at the far end.
> >
> >Kais.
> > >
> > >This sounds like it mandates the use of AH, is that correct?
> > >
> > >Best Regards,
> > >Joseph D. Harwood
> > >jharwood@vesta-corp.com
> > >www.vesta-corp.com
> > >
> > >> -----Original Message-----
> > >> From: owner-ipsec@lists.tislabs.com
> > >> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Kais Belgaied
> > >> Sent: Wednesday, February 28, 2001 7:18 PM
> > >> To: ipng@sunroof.eng.sun.com; ipsec@lists.tislabs.com
> > >> Subject: Internet Draft for explicit security labels in IPv6.
> > >>
> > >>
> > >> Greetings,
> > >>
> > >> IPv4 had IPSO and CIPSO for labeling of packets assuming
> we're operating
> > >> within the premises of a trusted infrastructure.
> > >> IPv6 only has the implicit labeling by having different
> IPsec SAs convey
> > >> different labels.
> > >> We think there is a need to have explicit labels in IPv6,
> whether or not
> > >> IPsec is used.
> > >>
> > >> Please see draft-belgaied-ipv6-lsopt-00.txt
> > >>
> > >> http://www.ietf.org/internet-drafts/draft-belgaied-ipv6-lsopt-00.txt
> > >>
> > >>
> > >> Regards,
> > >> Kais.
> > >>
> > >>
> > >>
> >
> >
> >
>
>
> 		--Steve Bellovin, http://www.research.att.com/~smb
>
>
>

BEGIN:VCARD
VERSION:2.1
N:Harwood;Joseph;D.
FN:Joseph D. Harwood
ORG:Vesta Corporation
ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, =
CA 95054
URL:
URL:http://www.vesta-corp.com
EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
REV:20001011T162328Z
END:VCARD

References:

Re: Internet Draft for explicit security labels in IPv6.

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: Internet Draft for explicit security labels in IPv6.
Next by Date: Re: Internet Draft for explicit security labels in IPv6.
Prev by thread: Re: Internet Draft for explicit security labels in IPv6.
Next by thread: Re: Internet Draft for explicit security labels in IPv6.
Index(es):
- Main
- Thread