Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!columbia!rutgers!labrea!decwrl!hplabs!ucbvax!SRI-NIC.ARPA!STJOHNS
From: STJOHNS@SRI-NIC.ARPA
Newsgroups: comp.protocols.tcp-ip
Subject: Re: IP options implementation
Message-ID: <[SRI-NIC.ARPA].6-Jul-87.05:44:11.STJOHNS>
Date: Mon, 6-Jul-87 08:44:00 EDT
Article-I.D.: <[SRI-NIC.ARPA].6-Jul-87.05:44:11.STJOHNS>
Posted: Mon Jul  6 08:44:00 1987
Date-Received: Tue, 7-Jul-87 05:19:13 EDT
References: <8707041529.AA24545@lbl-csam.arpa>
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 19

For  single  level systems (those evaluated at less than B2), the
only place you need to deal with the IP security option is at the
IP  level.   You need to have a configuration item which sets the
level of your system.  This must be  reflected  in  the  outgoing
packets,  and  muct  also  be  checked  in the incomoing packets.
Incoming packets without the proper security option in them  must
be logged and dropped.

(Err,  this  is what the rules say, if I were imple,menting this,
I'd add a configuration item for dropping non-compliant  incoming
datagrams  and  leave it off until you connect to BLACKER, or are
reasonably certain everyone else is in compliance.)

By the way, which  IP  security  option  is  everyone  out  there
concerned  about?   The  one  in the RFC?  If so, hang on to your
horses.  You might want to take a look at  the  revised  IPSO  in
[NIC]ps:ipso.txt.

Mike