[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [saag] Re: IPsec and RSVP

To: "Derek Atkins" <derek@ihtfp.com>
Subject: RE: [saag] Re: IPsec and RSVP
From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>
Date: Wed, 29 May 2002 16:04:54 +0200
Cc: "Melinda Shore" <mshore@cisco.com>, "RJ Atkinson" <rja@extremenetworks.com>, "SatishK Amara" <kumar_amara@yahoo.com>, <dong_wei@tsinghua.com>, "IPsec" <ipsec@lists.tislabs.com>, "Security_Area_Advisory_Group" <saag@mit.edu>
Importance: Normal
In-Reply-To: <sjm4rgr2hky.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com

hi
>
>
> And we're saying that this chain-of-trust is a bad model, because
> anyone close to an edge can inject any amount of bogus data into the
> network.
you have to differentiate between data traffic and signaling traffic.
if you change the chain-of-trust model and require end-to-end nature than
this implies that you
don't want any router to modify rsvp message (adding something etc.). this
is possible by introducing mutable and non-mutable fields and protecting the
non-mutable fields end-to-end. the only information you can protect is what
qos was requested by one end. since rsvp is not used by its own you could
also protect this information at the application layer for example using
sip. if nodes in between are unable to verify this information then this
would also work. what do you think?

>  Once it's injected, it's even TRUSTED!
yes - if a router is malicious then you have a problem.
injecting data traffic by someone else (unauthorized user) is something
different.
injecting unprotected signaling messages is again something different.

>  One major problem is
> that you lose the origin of the request after the first hop, not to
> mention the actual request itself.
which nodes need this information and for what?

ciao
hannes


>
> -derek
>
> "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de> writes:
>
> > hi
> >
> > what do you mean by "in terms of addressing"?
> >
> > my understanding of rsvp is:
> > rsvp travels hop-by-hop (rsvp capable nodes) from one end-point
> to an other
> > (except if you use some rsvp extensions like rsvp proxy etc.).
> hence "RSVP
> > is end-to-end in one direction (sender->receiver)" confuses me
> somehow. the
> > security for rsvp is build on hop-by-hop security based on a
> chain-of-trust.
> >
> > ciao
> > hannes
> >
> >
> > > -----Original Message-----
> > > From: owner-ipsec@lists.tislabs.com
> > > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Melinda Shore
> > > Sent: Saturday, May 25, 2002 5:18 PM
> > > To: RJ Atkinson; Derek Atkins
> > > Cc: SatishK Amara; dong_wei@tsinghua.com; IPsec;
> > > Security_Area_Advisory_Group
> > > Subject: Re: [saag] Re:
> > >
> > >
> > > At 10:53 AM 5/25/02 -0400, RJ Atkinson wrote:
> > > >Hmm.  I would rather say that RSVP is hop-by-hop and
> > > >that (normally) AH/ESP are end-to-end.
> > >
> > > In terms of addressing, RSVP is end-to-end in one
> > > direction (sender->receiver) and hop-by-hop in the
> > > other (receiver->sender).
> > >
> > > >However, if one used (for example) AH with an asymmetric algorithm,
> > > >one could perform hop-by-hop authentication of the
> > > >packet with AH.  This has obvious computational cost
> > > >issues so might not be the best choice.
> > >
> > > The packet payload is going to be modified at each hop,
> > > as well, in both directions.
> > >
> > > Melinda
> >
>
> --
>        Derek Atkins
>        Computer and Internet Security Consultant
>        derek@ihtfp.com             www.ihtfp.com

References:
- Re: [saag] Re: IPsec and RSVP
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: RE: [saag] Re:
Next by Date: RE: [saag] Re:
Prev by thread: Re: [saag] Re: IPsec and RSVP
Next by thread: RE: [saag] Re:
Index(es):
- Date
- Thread