[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rfc 3473 notify security

To: ccamp@ops.ietf.org
Subject: rfc 3473 notify security
From: "Hannes Tschofenig" <hannestschofenig@hotmail.com>
Date: Mon, 21 Jul 2003 11:54:23 +0200
Bcc:

hi all,

at the last ietf meeting allison mankin pointed to rfc 3473 as being relevant for the nsis working group (from a protocol and security point of view). reading the security section i noticed that the notify message is sent in a non hop-by-hop fashion and therefore cannot be secured using the rsvp available security mechanisms (i.e. integrity object).

the usage of ipsec is suggested for protection. working on the "rsvp security properties" document i realized that ipsec protection for rsvp is not a simple task (due to a number of rsvp protocol characteristics).

if the notify message is sent using raw ip (protocol type 46) then it is not possible to secure the message appropriately since ike, ikev2 or kink are able to negotiate this type of traffic selector.

possible solution:

a) disable the non hop-by-hop transmission of the notify message
b) use udp encapsulation (although depricated)

considering the additional overhead of securing the notify message it seems to be much easier to consider (a) as a viable option.

(b) would allow the source/destination udp ports to be used as a traffic selector (in addition to the src/dst ip address).

further thoughs?

ciao
hannes

_________________________________________________________________
Messenger - Wer in Echtzeit kommunizieren will, lädt den MSN Messenger. Cool, kostenlos und mit 3D Emoticons: http://messenger.msn.de

Prev by Date: "OAM in MPLS-based Networks": IEEE Comm. Mag. Sp. Issue Call for Papers
Next by Date: Crankback [Was: Running out of RSVP-TE bits?]
Previous by thread: Document Action: 'Tracing Requirements for Generic Tunnels' to an Informational RFC (Revised)
Next by thread: Crankback [Was: Running out of RSVP-TE bits?]
Index(es):
- Date
- Thread