[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and RSVP

To: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>
Subject: Re: IPsec and RSVP
From: Derek Atkins <derek@ihtfp.com>
Date: 29 May 2002 09:43:16 -0400
Cc: "SatishK Amara" <kumar_amara@yahoo.com>, <dong_wei@tsinghua.com>, "IPsec" <ipsec@lists.tislabs.com>, "Security_Area_Advisory_Group" <saag@mit.edu>
In-Reply-To: <BIEMJDFDALACOIGHKCHCOEGPEHAA.Hannes.Tschofenig@mchp.siemens.de>
References: <BIEMJDFDALACOIGHKCHCOEGPEHAA.Hannes.Tschofenig@mchp.siemens.de>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

"Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de> writes:

> hi
> 
> what speaks against applying ipsec hop-by-hop (whereby a hop is a rsvp
> capable router)?

You lose the authentication of the end-point requesting the
reservation.  If you use ipsec in this way, then each router
knows its peer, but you have no transitive authentication.
The only protection you get is protection of on-the-wire
request.  You have no protection against a corrupt router
along the path, or indeed no way to know what the actual
original request was.

> ciao
> hannes

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- RE: IPsec and RSVP
  - From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>
- Re: IPsec and RSVP
  - From: Michael Thomas <mat@cisco.com>

References:
- RE:
  - From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>

Prev by Date: RE: [saag] Re:
Next by Date: RE: [saag] Re:
Prev by thread: RE:
Next by thread: RE: IPsec and RSVP
Index(es):
- Date
- Thread