[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [saag] Re:

To: "Melinda Shore" <mshore@cisco.com>
Subject: RE: [saag] Re:
From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>
Date: Wed, 29 May 2002 16:22:36 +0200
Cc: "IPsec" <ipsec@lists.tislabs.com>, "Security_Area_Advisory_Group" <saag@mit.edu>
Importance: Normal
In-Reply-To: <5.1.0.14.0.20020529100110.00aad1b0@localhost>
Sender: owner-ipsec@lists.tislabs.com

hi melinda

>
>
> At 03:59 PM 5/29/02 +0200, Hannes Tschofenig wrote:
> >do you think that the hop-by-hop security in rsvp is a good or a
> bad thing?
> >should there be more than what is currently provided?
>
> There needs to be more than what is currently provided,
> but, as always, there's a big keying/cert problem, particularly
> in a multi-"domain" environment.
i fully agree with you. especially in a generic end-to-end case this might
be quite difficult.

>  I don't think the threat
> environment is particularly well-understood (I've seen your
> NSIS draft but haven't gone through it in detail).
i would like to hear your opinion about it.

>  Clearly
> IPSec is not the right answer for Path messages, however,
> because while the addressing is end-to-end the payload
> contents do change as the packet transits participating
> routers.
yes. ipsec is definitely not the choice for end-to-end security since it
does not allow intermediate nodes to modify the messages.

i however have difficulties with the statement that end-to-end security
introduced in rsvp solves all problems. (i think that it even introduces
more.) my observation is that the interaction between rsvp and other
protocols like sip is important especially for accounting and since rsvp is
often used together with other protocols.

ciao
hannes

>
> Melinda

References:
- RE: [saag] Re:
  - From: Melinda Shore <mshore@cisco.com>

Prev by Date: RE: [saag] Re:
Next by Date: Re: IPsec and RSVP
Prev by thread: RE: [saag] Re:
Next by thread: Re: [saag] Re:
Index(es):
- Date
- Thread