-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sam Hartman wrote: >>>>>> "Joe" == Joe Touch <touch@xxxxxxx> writes: > > > Joe> I was wondering about that; it seems inconsistent to have > Joe> this document require something that is optional in RFC 4301. > > I suspect you realize this, but some people following the discussion > may not. It's critical to this mechanism that intermediate systems be > able to read the sensitivity level. You can either do hop-by-hop SAs > using either ESP-null or AH, or end-to-end SAs using AH or ESP/null > plus one of the fixes so you can determine that a packet is ESP-null > rather than ESP-encrypted. Note that if you are talking about > end-to-end SAs you need to either explain why the intermediate systems > don't need to be able to confirm the integrity of the label, or you > need to address Steve Bellovin's concerns. Hi, Sam, Thanks for pointing that out. The issue, AFAICT, is how to achieve the required transparency while relying on (as much as possible) only protocols that are MUSTs, rather than MAYs. Perhaps that's less of an issue for this system, but I would hate to have it depend on IPsec devices that implemented a MAY. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjlUNMACgkQE5f5cImnZrtJEgCghWYeCC7flc8lHvjh4r+j963A 3CsAnRAOyGF7jSYVzoGV5h9WMIMQtao+ =pogB -----END PGP SIGNATURE----- _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf