Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!columbia!rutgers!labrea!decwrl!hplabs!ucbvax!SRI-NIC.ARPA!STJOHNS
From: STJOHNS@SRI-NIC.ARPA
Newsgroups: comp.protocols.tcp-ip
Subject: Re: IP options implementation
Message-ID: <[SRI-NIC.ARPA].6-Jul-87.05:44:11.STJOHNS>
Date: Mon, 6-Jul-87 08:44:00 EDT
Article-I.D.: <[SRI-NIC.ARPA].6-Jul-87.05:44:11.STJOHNS>
Posted: Mon Jul 6 08:44:00 1987
Date-Received: Tue, 7-Jul-87 05:19:13 EDT
References: <8707041529.AA24545@lbl-csam.arpa>
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 19
For single level systems (those evaluated at less than B2), the
only place you need to deal with the IP security option is at the
IP level. You need to have a configuration item which sets the
level of your system. This must be reflected in the outgoing
packets, and muct also be checked in the incomoing packets.
Incoming packets without the proper security option in them must
be logged and dropped.
(Err, this is what the rules say, if I were imple,menting this,
I'd add a configuration item for dropping non-compliant incoming
datagrams and leave it off until you connect to BLACKER, or are
reasonably certain everyone else is in compliance.)
By the way, which IP security option is everyone out there
concerned about? The one in the RFC? If so, hang on to your
horses. You might want to take a look at the revised IPSO in
[NIC]ps:ipso.txt.
Mike