[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )



For a router to trust a label in the hop-by-hop header, it has to either
*believe* the packet is authentic (packet coming in through an interface
connected to a highly secured network), or it is the other end (dst) of an
AH AS protecting the labeled packet.

Here is an example:

       Secure (trusted)   Unsecure network   Secure network
          network         (non trustworthy)
          /------\         //----\\         /------\
          |      |         |      |         |      |
Host1  --|      |-- SGW1--|      | --SGW2--|      |--- Host2
          |      |         |      |         |      |
          \------/         \\----//         \------/

The security policy requires that data at certain labels follow certain paths
inside the secure networks, and that it is offered a certain protection when
travelling through untrusted clouds. The inside routers in the trusted networks
will use the label for trusted routing. Edge routers SGW1 & SGW2 MUST use an AH
SA

If confidentiality is required, An additional AH ESP between Host1 and Host2
can be used.

Kais.

 >>
 >>My understanding of the draft was that, one of the goals is for intervening
 >>routers to be able to make routing decisions based on the contents of the
 >>security label (Section 3.4):
 >>
 >>   A router needs to trust the authenticity and integrity of a
 >>   packet before making routing decision based on the content of its
 >>   label.
 >>
 >>The proposal is to permit security labels in Hop-By-Hop Extension Headers,
 >>which (if I remember correctly) are only protected by AH.
 >>
 >>This would seem to require AH.
 >
 >But intermediate routers don't have the keys to verify the AH header.
 >
 >		--Steve Bellovin, http://www.research.att.com/~smb
 >
 >




Follow-Ups: