[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AH and flow label



> At 2:56 PM -0400 9/10/04, Bound, Jim wrote:
> >OK I am worried now.  Is there a security hole and potentially serious
> >problem by not including the Flowlabel in the ICV?  We do need to ask
> >this question and should not ignore it.  Then the trade offs can be
> >determined.  But that data and what problem it solves should be fairly
> >compelling to go tell product implementors to add it. 
> 
> Jim,
> 
> Based on your comments in this message, I think there is some misunderstanding.
> 
> We are not talking about changing AH v1; we are discussing AH v2. To 
> correctly implement AH v2, one already has to be able to accommodate 
> 64 bit sequence numbers, vs. the 32 bit sequence numbers in v1. AH v2 
> is still an I-D, not an RFC. So, while a change in whether to include 
> the flow label in the ICV would make v2 not backward compatible with 
> v1, v2 is already not backward compatible with v1 due to the required 
> sequence number support difference.
> 
> Does this help?

	i want a clarification:
	are you suggesting that AHv2 (and ESPv3) will have a different protocol
	number from the current AH/ESP?  otherwise we cannot distinguish
	between AHv2/ESPv3 traffic and old AH/ESP traffic.

itojun

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------