Re: draft-ietf-ppvpn-requirements

[Harald Tveit Alvestrand <harald@alvestrand.no>]

--On torsdag, mars 06, 2003 20:40:40 -0500 Steve Bellovin 
<smb@research.att.com> wrote:


> 5.9 There is text about how customer security measures must not hide
> QoS information from the SP.  That's very wrong.  At least, if it's wrong
> if they mean "you must show us port numbers".  But more fundamentally,
> it says "a security solution deployed by a customer must not hide
> information...".  I don't think this document should be specifying that
> sort of requirements for customer behavior.
this is a generic issue - we've been over this in relation to diffserv and 
ipsec a number of times - I think the right language is something like

"If the customer deploys a security solution that could hide information 
that normally would be used by the SP in providing QoS, it is the 
customer's responsibility to make sure the information is made available to 
the SP if the customer wants to take advantage of QoS features at the SP".

the case language below actually fits quite well with stating it like that.

If I don't want my SP's QoS, I shouldn't have to care about accomodating it.

(btw, it's fun to see "replay attack" listed as a high level security 
service :-)

                Harald