[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Internet Draft for explicit security labels in IPv6.

To: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Subject: Re: Internet Draft for explicit security labels in IPv6.
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 01 Mar 2001 14:50:47 -0500
Cc: "Kais Belgaied" <kais@domus.ebay.sun.com>, ipng@sunroof.eng.sun.com, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <NDBBIBHFGLMFGJLIBOBMOEIPCCAA.jharwood@vesta-corp.com>, "Joseph D. H
arwood" writes:
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0022_01C0A245.80C7E140
>Content-Type: text/plain;
>	charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>
>My understanding of the draft was that, one of the goals is for intervening
>routers to be able to make routing decisions based on the contents of the
>security label (Section 3.4):
>
>   A router needs to trust the authenticity and integrity of a
>   packet before making routing decision based on the content of its
>   label.
>
>The proposal is to permit security labels in Hop-By-Hop Extension Headers,
>which (if I remember correctly) are only protected by AH.
>
>This would seem to require AH.

But intermediate routers don't have the keys to verify the AH header.

		--Steve Bellovin, http://www.research.att.com/~smb

Prev by Date: RE: Internet Draft for explicit security labels in IPv6.
Next by Date: Re: Internet Draft for explicit security labels in IPv6.
Prev by thread: RE: Internet Draft for explicit security labels in IPv6.
Next by thread: Re: Internet Draft for explicit security labels in IPv6.
Index(es):
- Main
- Thread