Re: Label on the H-b-H (was Re: Internet Draft for explicitsecurity labels in IPv6. )

[Stephen Kent <kent@bbn.com>]

Kais,

>For a router to trust a label in the hop-by-hop header, it has to either
>*believe* the packet is authentic (packet coming in through an interface
>connected to a highly secured network), or it is the other end (dst) of an
>AH AS protecting the labeled packet.
>
>Here is an example:
>
>        Secure (trusted)   Unsecure network   Secure network
>           network         (non trustworthy)
>           /------\         //----\\         /------\
>           |      |         |      |         |      |
>Host1  --|      |-- SGW1--|      | --SGW2--|      |--- Host2
>           |      |         |      |         |      |
>           \------/         \\----//         \------/
>
>The security policy requires that data at certain labels follow certain paths
>inside the secure networks, and that it is offered a certain protection when
>travelling through untrusted clouds. The inside routers in the 
>trusted networks
>will use the label for trusted routing. Edge routers SGW1 & SGW2 
>MUST use an AH
>SA
>
>If confidentiality is required, An additional AH ESP between Host1 and Host2
>can be used.

I would expect SGW1 and SGW2 to establish an ESP tunnel between them, 
invoking integrity and authenticity for that tunnel (maybe 
confidentiality too) and that the security label would not be 
"visible" to the unsecure network. IPsec mandates that this SA be a 
tunnel, so the protection offered to the label by that SA, as I 
described above, is just right for your purpose.


Steve

---

References:

• Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )
• From: Kais Belgaied <kais@domus.ebay.sun.com>

---

• Prev by Date: Re: Internet Draft for explicit security labels in IPv6.
• Next by Date: SHA-256/384/512
• Prev by thread: RE: Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )
• Next by thread: Re: exchange type 6?
• Index(es):
  • Main
  • Thread