some things to discuss about MAC

Crist J . Clark cristjc at earthlink.net
Sat Dec 29 20:27:49 GMT 2001 

On Sat, Dec 29, 2001 at 09:21:21AM -0500, Robert Watson wrote:
[snip]

> - IPsec transport mode might also be interesting, although I have not yet
>   thought about it much.  My guess is that we'd assign labels based on the
>   SA, but since I think IP options are not covered by AH, we might not be
>   able to use CIPSO with it.  Not sure yet, but it's worth exploring.

IPv4 options are handled by AH. Heavily snipped portions of RFC2402:

3.3.3.1.1.2  Options

   For IPv4 (unlike IPv6), there is no mechanism for tagging options as
   mutable in transit.  Hence the IPv4 options are explicitly listed in
   Appendix A and classified as immutable, mutable but predictable, or
   mutable.  For IPv4, the entire option is viewed as a unit; so even
   though the type and length fields within most options are immutable
   in transit, if an option is classified as mutable, the entire option
   is zeroed for ICV computation purposes.


Appendix A:

           Opt.
Copy Class  #   Name                      Reference
---- ----- ---  ------------------------  ---------
IMMUTABLE -- included in ICV calculation
  0   0     0   End of Options List       [RFC791]
  0   0     1   No Operation              [RFC791]
  1   0     2   Security                  [RFC1108(historic but in use)]
  1   0     5   Extended Security         [RFC1108(historic but in use)]
  1   0     6   Commercial Security       [expired I-D, now US MIL STD]
  1   0    20   Router Alert              [RFC2113]
  1   0    21   Sender Directed Multi-    [RFC1770]
                Destination Delivery
MUTABLE -- zeroed
  1   0      3  Loose Source Route        [RFC791]
  0   2      4  Time Stamp                [RFC791]
  0   0      7  Record Route              [RFC791]
  1   0      9  Strict Source Route       [RFC791]
  0   2     18  Traceroute                [RFC1393]

EXPERIMENTAL, SUPERCEDED -- zeroed
  1   0      8  Stream ID                 [RFC791, RFC1122 (Host Req)]
  0   0     11  MTU Probe                 [RFC1063, RFC1191 (PMTU)]
  0   0     12  MTU Reply                 [RFC1063, RFC1191 (PMTU)]
  1   0     17  Extended Internet Proto   [RFC1385, RFC1883 (IPv6)]
  0   0     10  Experimental Measurement  [ZSu]
  1   2     13  Experimental Flow Control [Finn]
  1   0     14  Experimental Access Ctl   [Estrin]
  0   0     15  ???                       [VerSteeg]
  1   0     16  IMI Traffic Descriptor    [Lee]
  1   0     19  Address Extension         [Ullmann IPv7]

   NOTE: Addition or removal of any security labels (BSO, ESO, CIPSO) by
   systems along a packet's path conflicts with the classification of
   these IP Options as immutable and is incompatible with the use of
   IPsec.


-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list