> >> I don't think that matters. Security labels are never optional but > >> always mandatory. And it seems very unlikely to have a mix of child > >> sa's with and without label. So they will all have a label, and then > >> failing the IKE SA is fine, > > > > Do you want to say, that it's impossible to have two SGWs with > > multiple networks behind them so, that traffic from some networks will > > have security labels and traffic from the others won't have? > > I'm not saying it is impossible. I am saying it is not likely to be a real life > configuration. If you classify network traffic with labels, your goal is to not > have unlabeled traffic come in at all. You might have a label SEC_WHATEVER, > but it still seems far more likely you would mark the traffic as having come > from SGWx with some kind of LABELx to track the origin throughout your > network. > > > If such a configuration is possible, then it's perfectly OK to have a > > mix of labelled and non-labelled IPsec SAs created by one IKE SA. > > I'd argue the reverse. It would likely be better not to allow such an awful > configuration :)
So, am I right that you want all IPsec SAs created from a single IKE SA to either have labels or not? If so, then it looks like an IKE SA property, and thus an ability to use labels should really be negotiated when IKE SA is created (well, I don't care whether it is SECLABELS_SUPPORTED or SECLABELS_REQUIRED notification :-)). And since peers know that seclabels are supported, we won't have any problems with legacy implementations (for example, the responder cannot ignore label in notification in option 3). Regards, Valery. > > Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
