[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Flow label and its uses

To: "Vishwas Manral" <Vishwas@sinett.com>, v6ops@ops.ietf.org
Subject: RE: Flow label and its uses
From: "Bora Akyol" <bora@broadcom.com>
Date: Tue, 31 Jan 2006 10:15:35 -0800

Flow label is not a field that is protected by IPSEC
hence I do not think you can use
this as a selector.

Unless you do modifications to IKEv2, you can not also let
the other end know what exactly the SP (security policy)
is based on.

Frankly, use of flow label as a selector would be a hack
to get around the problem of the full security policy lookup
in IPSEC at high speeds. The truth is that this has not
been a problem for at least 4-5 years now as long
as the selectors themselves are TCAM friendly.

Bora


> -----Original Message-----
> From: Vishwas Manral [mailto:Vishwas@sinett.com] 
> Sent: Tuesday, January 31, 2006 2:08 AM
> To: Bora Akyol; Spencer Dawkins; v6ops@ops.ietf.org
> Subject: RE: Flow label and its uses
> 
> Bora,
> 
> > Does this mean that you are using the flow label in lieu of the 
> > regular IPSEC SP match?
> All I am saying is just as we can have local and remote ports 
> as selectors; we can instead use Flow Labels along with the 
> IP addresses for the same purpose, if some assumptions can be 
> made for the flow label. 
> 
> Is my understanding wrong?
> 
> Thanks,
> Vishwas

Follow-Ups:
- Re: Flow label and its uses
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: RE: Flow label and its uses
Next by Date: Teredo spec has been published!
Previous by thread: RE: Flow label and its uses
Next by thread: Re: Flow label and its uses
Index(es):
- Date
- Thread