[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ppvpn-requirements
In message <940500000.1047026468@askvoll.hjemme.alvestrand.no>, Harald Tveit Al
vestrand writes:
>
>
>--On torsdag, mars 06, 2003 20:40:40 -0500 Steve Bellovin
><smb@research.att.com> wrote:
>
>
>> 5.9 There is text about how customer security measures must not hide
>> QoS information from the SP. That's very wrong. At least, if it's wrong
>> if they mean "you must show us port numbers". But more fundamentally,
>> it says "a security solution deployed by a customer must not hide
>> information...". I don't think this document should be specifying that
>> sort of requirements for customer behavior.
>
>this is a generic issue - we've been over this in relation to diffserv and
>ipsec a number of times - I think the right language is something like
>
>"If the customer deploys a security solution that could hide information
>that normally would be used by the SP in providing QoS, it is the
>customer's responsibility to make sure the information is made available to
>the SP if the customer wants to take advantage of QoS features at the SP".
>
>the case language below actually fits quite well with stating it like that.
>
>If I don't want my SP's QoS, I shouldn't have to care about accomodating it.
Agreed. I was going to suggest something like that, but I was too
fried last night to compose anything clear enough.
>
>(btw, it's fun to see "replay attack" listed as a high level security
>service :-)
>
yes.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)