Re: draft-ietf-ppvpn-requirements

["Steven M. Bellovin" <smb@research.att.com>]

In message <940500000.1047026468@askvoll.hjemme.alvestrand.no>, Harald Tveit Al
vestrand writes:
>
>
>--On torsdag, mars 06, 2003 20:40:40 -0500 Steve Bellovin 
><smb@research.att.com> wrote:
>
>
>> 5.9 There is text about how customer security measures must not hide
>> QoS information from the SP.  That's very wrong.  At least, if it's wrong
>> if they mean "you must show us port numbers".  But more fundamentally,
>> it says "a security solution deployed by a customer must not hide
>> information...".  I don't think this document should be specifying that
>> sort of requirements for customer behavior.
>
>this is a generic issue - we've been over this in relation to diffserv and 
>ipsec a number of times - I think the right language is something like
>
>"If the customer deploys a security solution that could hide information 
>that normally would be used by the SP in providing QoS, it is the 
>customer's responsibility to make sure the information is made available to 
>the SP if the customer wants to take advantage of QoS features at the SP".
>
>the case language below actually fits quite well with stating it like that.
>
>If I don't want my SP's QoS, I shouldn't have to care about accomodating it.

Agreed.  I was going to suggest something like that, but I was too 
fried last night to compose anything clear enough.

>
>(btw, it's fun to see "replay attack" listed as a high level security 
>service :-)
>
yes.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)