The following table explains how IPsec confidentiality and integrity protections apply to the security label with various configurations of label extensions.
Security Association |
Confidentiality |
Integrity |
---|---|---|
Without label extensions |
Label is visible in the CIPSO IP option. |
Message label in the CIPSO IP option is covered by AH, not by ESP. See Note. |
With label extensions |
A CIPSO IP option is visible, but represents the wire label, which might be different from the inner message label. |
Label integrity is implicitly covered by the existence of a label-specific SA. On-the-wire CIPSO IP option is covered by AH. See Note. |
With label extensions and CIPSO IP option suppressed |
Message label is not visible. |
Label integrity is implicitly covered by existence of a label-specific SA. |
You cannot use IPsec AH integrity protections to protect the CIPSO IP option if CIPSO-aware routers might strip or add the CIPSO IP option as a message travels through the network. Any modification to the CIPSO IP option will invalidate the message and cause a packet that is protected by AH to be dropped at the destination.