[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:

To: Hannes Tschofenig <Hannes.Tschofenig@mchp.siemens.de>
Subject: Re:
From: "S. Felix Wu" <wu@cs.ucdavis.edu>
Date: Wed, 29 May 2002 10:03:18 -0700
CC: Derek Atkins <warlord@mit.edu>, SatishK Amara <kumar_amara@yahoo.com>, dong_wei@tsinghua.com, IPsec <ipsec@lists.tislabs.com>, Security_Area_Advisory_Group <saag@mit.edu>
References: <BIEMJDFDALACOIGHKCHCOEGPEHAA.Hannes.Tschofenig@mchp.siemens.de>
Sender: owner-ipsec@lists.tislabs.com


It depends on what are the security requirements and threats.
In my opinion, RSVP security is really neither hop-by-hop nor
end-to-end (or I should say it is a mixture of both).

Certain fields in RSVP are "mutable" (for example, maximum
available bandwidth along the route path), and therefore, a
pure end-to-end will not be possible. On the other hand, if
we assume (i.e., our threat model) that an intermediate RSVP
router (on the route path) can be malicious, then you need
some forms of end-to-end to protect at least those "static"
fields in an end-to-end fashion.

My students and I studied this problem a few years ago and the
following is a web link to our paper:

http://arqos.csc.ncsu.edu/papers/1999_10_iwqos99.pdf

This work is somewhat old, but hopefully it will provide some
information about the technical difficulties in dealing with
RSVP security.
-Felix


Hannes Tschofenig wrote:
> 
> hi
> 
> what speaks against applying ipsec hop-by-hop (whereby a hop is a rsvp
> capable router)?
> 
> ciao
> hannes
> 
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Derek Atkins
> > Sent: Saturday, May 25, 2002 5:01 AM
> > To: SatishK Amara
> > Cc: dong_wei@tsinghua.com; IPsec; Security_Area_Advisory_Group
> > Subject: Re:
> >
> >
> > Because IPsec is hop-by-hop but you want RSVP end-to-end.
> >
> > -derek
> >
> > SatishK Amara <kumar_amara@yahoo.com> writes:
> >
> > > Why don't you use IPSEC to secure RSVP.
> > >
> > > Satish Amara
> > > --- Dong <dong_wei@tsinghua.com> wrote:
> > > > Roy,
> > > >
> > > > I just read a paper "Preventing Denial of Service
> > > > Attacks on Quality of Service", which is written by
> > > > some guys from N.C. State university and UC Davis.
> > > > The service quality to legimative users could be
> > > > degraded by attacks on control flow or data flow.
> > > > For example, an illegal user can forge a reservation
> > > > message, so he can receive an unauthorized amount of
> > > > resources. I just wanna to know what threats exist
> > > > in providing QoS, and what the state-of-art
> > > > techniques to prevent, detect and counter those
> > > > attacks, and of course recovery mothods as well.
> > > >
> > > > Thx a lot.
> > > >
> > > > Dong
> > > >
> > > >
> > > > Dong,
> > > > Please be a little more precise in what you are
> > > > asking for, i.e.
> > > >
> > > > 3-5 bullet list items on what kind of security you
> > > > seek.
> > > >
> > > > Roy
> > > >
> > > > -----Original Message-----
> > > > From: Dong [mailto:dong_wei@tsinghua.com]
> > > > Sent: Thursday, May 23, 2002 2:05 PM
> > > > To: Security_Area_Advisory_Group; IPsec
> > > > Subject: Secure QoS
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I am trying to do a survey on Secure QoS. Any paper
> > > > on that? Thx.
> > > >
> > > > Dong
> > > >
> > > >
> > > _____________________________________________________________
> > > > Get Tsinghua University free email account:
> > > > www.tsinghua.com
> > > > Web site sponsored and hosted by AtFreeWeb.com
> > > >
> > > >
> > > >
> > > >
> > > _____________________________________________________________
> > > > Get Tsinghua University free email account:
> > > > www.tsinghua.com
> > > > Web site sponsored and hosted by AtFreeWeb.com
> > > >
> > > >
> > > _____________________________________________________________
> > > > Promote your group and strengthen ties to your
> > > > members with email@yourgroup.org by Everyone.net
> > > http://www.everyone.net/?btn=tag
> > >
> > >
> > > =====
> > > In natural science, Nature has given us a world and we're just
> > to discover its laws. In computers, we can stuff laws into it and
> > create a world            -- Alan Kay
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > LAUNCH - Your Yahoo! Music Experience
> > > http://launch.yahoo.com
> >
> > --
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available

-- 
----------------------------------------------------------------------
Dr. S. (Shyhtsun) Felix Wu                           wu@cs.ucdavis.edu
Associate Professor                      http://www.cs.ucdavis.edu/~wu
Computer Science Department                     office: 1-530-754-7070
University of California at Davis               fax:    1-530-752-4767
----------------------------------------------------------------------

Follow-Ups:
- RE:
  - From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>

References:
- RE:
  - From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>

Prev by Date: Re: ipsec to secure rsvp
Next by Date: Re: ipsec to secure rsvp
Prev by thread: RE: IPsec and RSVP
Next by thread: RE:
Index(es):
- Date
- Thread