My message pointed out that there was no mention of options, Your
reply picked a couple of option examples and argued that they were
either not used or did not pose a security problem.
The right way to generate a god answer is to construct a table of all
the options, and provide a rationale for why each one is not covered,
deprecated, or not secruity relevant.
Also, note that IPSO and CIPSO are examples of options that were
discussed at the IPSECME meeting this week, where there is a need to
bind the options to the payload. I observed that using tunnel mode
(ESP) addresses this concern, but one could also note that using AH
would do the same, with lower per-packet bandwidth overhead.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
