Confidentiality and Integrity Protections With
Label Extensions
The following table explains how IPsec confidentiality and integrity
protections apply to the security label with various configurations of label
extensions.
| | |
Without label extensions
| Label is visible in the labeled IP option.
| Message label in the labeled IP option is covered by AH, not by ESP.
See Note.
|
With label extensions
| A labeled IP option is visible, but represents the wire label, which
might be different from the inner message label.
| Label integrity is implicitly covered by the existence of a label-specific
SA. On-the-wire labeled IP option is covered by AH. See Note.
|
With label extensions and labeled IP option suppressed
| Message label is not visible.
| Label integrity is implicitly covered by the existence of a label-specific
SA.
|
|
Note - You cannot use IPsec AH integrity protections to protect the labeled
IP option if label-aware routers might strip or add the labeled IP option
as a message travels through the network. Any modification to the labeled
IP option will invalidate the message and cause a packet that is protected
by AH to be dropped at the destination.