[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ipsec to secure rsvp

To: "S. Felix Wu" <wu@cs.ucdavis.edu>, <kumar_amara@yahoo.com>, <dong_wei@tsinghua.com>, "IPsec" <ipsec@lists.tislabs.com>, "Security_Area_Advisory_Group" <saag@mit.edu>
Subject: RE: ipsec to secure rsvp
From: "Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>
Date: Fri, 31 May 2002 08:49:06 +0200
Importance: Normal
In-Reply-To: <3CF50554.4B48FA53@cs.ucdavis.edu>
Sender: owner-ipsec@lists.tislabs.com

hi felix!

> -----Original Message-----
> From: S. Felix Wu [mailto:wu@cs.ucdavis.edu]
> Sent: Wednesday, May 29, 2002 6:44 PM
> To: Hannes Tschofenig; kumar_amara@yahoo.com; dong_wei@tsinghua.com;
> IPsec; Security_Area_Advisory_Group
> Subject: Re: ipsec to secure rsvp
>
>
>
> The tricky part (my personal opinion) is that, using IPSec, you
> must know the other endpoint's IP address to establish the SA in
> the first place. According to my understanding, at least in general,
> in RSVP, you do NOT know the next hop RSVP router's IP address in
> path finding messages (I assume that not every Internet router will
> support RSVP), and sometimes route path might change unpredictably.
true - rsvp does not describe how to learn the identity of the next rsvp
aware next hop (i think it the documents say something like 'by other
means...'). this information needs to be available otherwise the integrity
object cannot be added.

>
> Therefore, (according to my old/dusty memory), Fred Baker's proposal
> to secure RSVP is based on a key table and key ID to allow the next
> hop trusted RSVP router to authenticate (HMAC fashion) the message
> without prior seesion-key exchange.

that is not going to work. maybe he said something more.

>
> I have admitted that I haven't followed the thread of progress in
> RSVP security for a while, so maybe things have been changed.

there has not been a discussion as far as i remember.

ciao
hannes

>
> -Felix
>
>
>
> Hannes Tschofenig wrote:
> >
> > hi
> >
> > there is no reason why not to use ipsec to secure rsvp.
> especially in the
> > core network (between routers) this might be a reasonable
> approach. using
> > ipsec to secure the traffic between the application (end-host)
> and the first
> > hop router is however more difficult.
> >
> > ciao
> > hannes
> >
> > > -----Original Message-----
> > > From: owner-ipsec@lists.tislabs.com
> > > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of SatishK Amara
> > > Sent: Friday, May 24, 2002 4:37 PM
> > > To: dong_wei@tsinghua.com; IPsec; Security_Area_Advisory_Group
> > > Subject: Re:
> > >
> > >
> > > Why don't you use IPSEC to secure RSVP.
> > >
> > > Satish Amara
> > > --- Dong <dong_wei@tsinghua.com> wrote:
> > > > Roy,
> > > >
> > > > I just read a paper "Preventing Denial of Service
> > > > Attacks on Quality of Service", which is written by
> > > > some guys from N.C. State university and UC Davis.
> > > > The service quality to legimative users could be
> > > > degraded by attacks on control flow or data flow.
> > > > For example, an illegal user can forge a reservation
> > > > message, so he can receive an unauthorized amount of
> > > > resources. I just wanna to know what threats exist
> > > > in providing QoS, and what the state-of-art
> > > > techniques to prevent, detect and counter those
> > > > attacks, and of course recovery mothods as well.
> > > >
> > > > Thx a lot.
> > > >
> > > > Dong
> > > >
> > > >
> > > > Dong,
> > > > Please be a little more precise in what you are
> > > > asking for, i.e.
> > > >
> > > > 3-5 bullet list items on what kind of security you
> > > > seek.
> > > >
> > > > Roy
> > > >
> > > > -----Original Message-----
> > > > From: Dong [mailto:dong_wei@tsinghua.com]
> > > > Sent: Thursday, May 23, 2002 2:05 PM
> > > > To: Security_Area_Advisory_Group; IPsec
> > > > Subject: Secure QoS
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I am trying to do a survey on Secure QoS. Any paper
> > > > on that? Thx.
> > > >
> > > > Dong
> > > >
> > > >
> > > _____________________________________________________________
> > > > Get Tsinghua University free email account:
> > > > www.tsinghua.com
> > > > Web site sponsored and hosted by AtFreeWeb.com
> > > >
> > > >
> > > >
> > > >
> > > _____________________________________________________________
> > > > Get Tsinghua University free email account:
> > > > www.tsinghua.com
> > > > Web site sponsored and hosted by AtFreeWeb.com
> > > >
> > > >
> > > _____________________________________________________________
> > > > Promote your group and strengthen ties to your
> > > > members with email@yourgroup.org by Everyone.net
> > > http://www.everyone.net/?btn=tag
> > >
> > >
> > > =====
> > > In natural science, Nature has given us a world and we're just to
> > > discover its laws. In computers, we can stuff laws into it and
> > > create a world            -- Alan Kay
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > LAUNCH - Your Yahoo! Music Experience
> > > http://launch.yahoo.com
>
> --
> ----------------------------------------------------------------------
> Dr. S. (Shyhtsun) Felix Wu                           wu@cs.ucdavis.edu
> Associate Professor                      http://www.cs.ucdavis.edu/~wu
> Computer Science Department                     office: 1-530-754-7070
> University of California at Davis               fax:    1-530-752-4767
> ----------------------------------------------------------------------

References:
- Re: ipsec to secure rsvp
  - From: "S. Felix Wu" <wu@cs.ucdavis.edu>

Prev by Date: RE:
Next by Date: end-to-end security and proxy rsvp
Prev by thread: RE: ipsec to secure rsvp
Next by thread: qos threats
Index(es):
- Date
- Thread