[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec to secure rsvp
The tricky part (my personal opinion) is that, using IPSec, you
must know the other endpoint's IP address to establish the SA in
the first place. According to my understanding, at least in general,
in RSVP, you do NOT know the next hop RSVP router's IP address in
path finding messages (I assume that not every Internet router will
support RSVP), and sometimes route path might change unpredictably.
Therefore, (according to my old/dusty memory), Fred Baker's proposal
to secure RSVP is based on a key table and key ID to allow the next
hop trusted RSVP router to authenticate (HMAC fashion) the message
without prior seesion-key exchange.
I have admitted that I haven't followed the thread of progress in
RSVP security for a while, so maybe things have been changed.
-Felix
Hannes Tschofenig wrote:
>
> hi
>
> there is no reason why not to use ipsec to secure rsvp. especially in the
> core network (between routers) this might be a reasonable approach. using
> ipsec to secure the traffic between the application (end-host) and the first
> hop router is however more difficult.
>
> ciao
> hannes
>
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of SatishK Amara
> > Sent: Friday, May 24, 2002 4:37 PM
> > To: dong_wei@tsinghua.com; IPsec; Security_Area_Advisory_Group
> > Subject: Re:
> >
> >
> > Why don't you use IPSEC to secure RSVP.
> >
> > Satish Amara
> > --- Dong <dong_wei@tsinghua.com> wrote:
> > > Roy,
> > >
> > > I just read a paper "Preventing Denial of Service
> > > Attacks on Quality of Service", which is written by
> > > some guys from N.C. State university and UC Davis.
> > > The service quality to legimative users could be
> > > degraded by attacks on control flow or data flow.
> > > For example, an illegal user can forge a reservation
> > > message, so he can receive an unauthorized amount of
> > > resources. I just wanna to know what threats exist
> > > in providing QoS, and what the state-of-art
> > > techniques to prevent, detect and counter those
> > > attacks, and of course recovery mothods as well.
> > >
> > > Thx a lot.
> > >
> > > Dong
> > >
> > >
> > > Dong,
> > > Please be a little more precise in what you are
> > > asking for, i.e.
> > >
> > > 3-5 bullet list items on what kind of security you
> > > seek.
> > >
> > > Roy
> > >
> > > -----Original Message-----
> > > From: Dong [mailto:dong_wei@tsinghua.com]
> > > Sent: Thursday, May 23, 2002 2:05 PM
> > > To: Security_Area_Advisory_Group; IPsec
> > > Subject: Secure QoS
> > >
> > >
> > > Hi,
> > >
> > > I am trying to do a survey on Secure QoS. Any paper
> > > on that? Thx.
> > >
> > > Dong
> > >
> > >
> > _____________________________________________________________
> > > Get Tsinghua University free email account:
> > > www.tsinghua.com
> > > Web site sponsored and hosted by AtFreeWeb.com
> > >
> > >
> > >
> > >
> > _____________________________________________________________
> > > Get Tsinghua University free email account:
> > > www.tsinghua.com
> > > Web site sponsored and hosted by AtFreeWeb.com
> > >
> > >
> > _____________________________________________________________
> > > Promote your group and strengthen ties to your
> > > members with email@yourgroup.org by Everyone.net
> > http://www.everyone.net/?btn=tag
> >
> >
> > =====
> > In natural science, Nature has given us a world and we're just to
> > discover its laws. In computers, we can stuff laws into it and
> > create a world -- Alan Kay
> >
> > __________________________________________________
> > Do You Yahoo!?
> > LAUNCH - Your Yahoo! Music Experience
> > http://launch.yahoo.com
--
----------------------------------------------------------------------
Dr. S. (Shyhtsun) Felix Wu wu@cs.ucdavis.edu
Associate Professor http://www.cs.ucdavis.edu/~wu
Computer Science Department office: 1-530-754-7070
University of California at Davis fax: 1-530-752-4767
----------------------------------------------------------------------