[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH and flow label



 In your previous mail you wrote:

   >    I have seen several projects started that intend on taking
   >    advantage of RFC 3697.
   >
   > => note the RFC 3697 explains why the protection of the flow label is
   > not in fact useful. Can you give more details, for instance are flow
   > labels used by the destination?
   
   Yes, most of these projects expect to use the flow label at the 
   destination.

=> and they expect to use AH end-to-end too?

   And one of these projects is using it in conjunction with 
   source-routing.
   
=> source-routing doesn't change the argument that the intermediate nodes
can't check the ICV.

   > => 100% incompatibility for IPv6/IPsec implementations which support AH
   > and put a non-zero flow label in packets (i.e., all conformant
   > implementations :-).
   
   Right.  My question was an attempt to see how many implementations
   support IPSec AH today.
   
=> all IPv6/IPsec implementations I know (BSDs, Linux 2.6, last Windows,
etc).

   >    Can anyone speak to their IPv6/IPSec implementations on this issue?
   >
   > => I strongly object to change the current choice (not protecting
   > the flow label despite it is immutable) for two reasons:
   >  - a change will be incompatible with current implementations
   
   Agreed.  I don't want to break a lot of implementations.  However, my
   question above on who supports AH today is germane.
   
   >  - the protection doesn't work on transit routers, i.e., where
   >    the flow label is used.
   
   For the transit use, I agree.  Destination use is something new.
   
=> it should be good to get more infos because AH itself is subject
to calls for deprecation based on the facts ESP can be used in place
of it in most cases and AH is not very used...

Thanks

Francis.Dupont@enst-bretagne.fr

PS: note there is a possible ugly compromise: protect flow labels
only when ESNs (extended sequence numbers, option of the new version
of AH) are enabled. This solves the compatibility issue but we should
have stronger arguments than "it is prettier to protect flow labels".

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------