[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bandwidth reservation and AH, and non-MD5 based AH.




In a galaxy far, far away, : Mon, 05 Feb 1996 11:39:55 EST
>   IPSEC is not a place to ask these questions. Try 
> firewalls-request@greatcircle.com please. You might start with:

  Dang. I replied to the list. Exactly what I hate people doing.
  
  Here is some genuine content to go with my appology. I think this
topic came up (I know I asked the question once), but seems to have died.
  The issue was how do deal with a possibly unknown number of gateways
between a sender and recipient. The simplest case is a single security
gateway with a host behind it. I think the opinion was that 
	IP-AH-IP-AH 
  was the way to do this. This works fine for some finite number of gateways
and when the packet will go via the same route each time. It gets to be a
pain when the number of gateways gets more than a couple. The gateways
could use ICMP "Authentication Required" to get more and more AH headers 
added..
  If one is talking about bandwidth reservation then one wants the packets
examined at several places. One could share (via photoris or other) the secret
keying information with all these gateways. I dislike this. I don't think
Photuris can handle this at present.
  Or, one could use a public key based digital signature. I worry that checking
this signature may take so long that the bandwidth reservation becomes moot
due to latency... I know that the bandwidth reservation people (RSVP) are 
working on something to address this. From my reading, there doesn't seem
to be a lot of protection against other people stealing your expensive
bandwidth, although draft-ietf-rsvp-md5-01.txt provides protection for the
RSVP protocol messages themselves. 
  The biggest reason I can see for widespread use of RSVP type services is that
if they are simple a cheap, then we can work around a large number of the 
denial
of service attacks that "ping -f victim" can cause.







Follow-Ups: References: