Re: Internet Draft for explicit security labels in IPv6.

["Steven M. Bellovin" <smb@research.att.com>]

In message <200103012137.NAA12627@domus.ebay.sun.com>, Kais Belgaied writes:
>>>It mandates a guarantee that the label on the IPv6 is authentic before trust
>in
>>>g
>>>it. In a link-local scope, where the label is proposed to be carried in the
>>>destination header, ESP is mandatory and sufficient.
>>>On a wider scope, AH is necessary.
>>
>>Or it could be bound to the certificate and recreated at the far end.
>
>It could, with the scalability limitation of implicit labeling.
>
I'm afraid I don't see the limitation.  The certificate itself could 
contain the label.

There are two cases, transport mode IPsec and tunnel mode.  In tunnel 
mode, as Kent pointed out, there is an inner IP header, option fields, 
etc.; in this case, the receiving gateway may wish to verify the labels
in the inner header, but need do nothing.

Transport mode is end-to-end, in which case the machine receiving the 
packet is either the ultimate end point -- in which case it can extract 
the label from the certificate and pass them up to TCP together -- or 
it's a bump-in-the-{wire,stack} on that machine.  In such cases, it 
should be quite straightforward to add the certificate's label -- if 
nothing else, it's already reassembling the packet to combine the IP 
header and the body, which were separated by the IPsec header.

		--Steve Bellovin, http://www.research.att.com/~smb

---

Follow-Ups:

• Re: Internet Draft for explicit security labels in IPv6.
• From: Kais Belgaied <kais@domus.ebay.sun.com>

---

• Prev by Date: Re: Internet Draft for explicit security labels in IPv6.
• Next by Date: Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )
• Prev by thread: Re: Internet Draft for explicit security labels in IPv6.
• Next by thread: Re: Internet Draft for explicit security labels in IPv6.
• Index(es):
  • Main
  • Thread