draft-ietf-tsvwg-rsvp-security-groupkeying-03.txt   draft-ietf-tsvwg-rsvp-security-groupkeying-04.txt 
Network Working Group M. Behringer Network Working Group M. Behringer
Internet-Draft F. Le Faucheur Internet-Draft F. Le Faucheur
Intended status: Informational Cisco Systems Inc Intended status: Informational Cisco Systems Inc
Expires: September 6, 2009 March 5, 2009 Expires: September 25, 2009 March 24, 2009
Applicability of Keying Methods for RSVP Security Applicability of Keying Methods for RSVP Security
draft-ietf-tsvwg-rsvp-security-groupkeying-03.txt draft-ietf-tsvwg-rsvp-security-groupkeying-04.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 6, 2009. This Internet-Draft will expire on September 25, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 44 skipping to change at page 2, line 44
9. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 9. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
10. Security Considerations . . . . . . . . . . . . . . . . . . . 14 10. Security Considerations . . . . . . . . . . . . . . . . . . . 14
10.1. Subverted RSVP Nodes . . . . . . . . . . . . . . . . . . . 15 10.1. Subverted RSVP Nodes . . . . . . . . . . . . . . . . . . . 15
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
12. Changes to Previous Version . . . . . . . . . . . . . . . . . 15 12. Changes to Previous Version . . . . . . . . . . . . . . . . . 15
12.1. changes from behringer-00 to behringer-01 . . . . . . . . 15 12.1. changes from behringer-00 to behringer-01 . . . . . . . . 15
12.2. changes from behringer-01 to ietf-00 . . . . . . . . . . . 16 12.2. changes from behringer-01 to ietf-00 . . . . . . . . . . . 16
12.3. changes from ietf-00 to ietf-01 . . . . . . . . . . . . . 16 12.3. changes from ietf-00 to ietf-01 . . . . . . . . . . . . . 16
12.4. changes from ietf-01 to ietf-02 . . . . . . . . . . . . . 16 12.4. changes from ietf-01 to ietf-02 . . . . . . . . . . . . . 16
12.5. changes from ietf-02 to ietf-03 . . . . . . . . . . . . . 16 12.5. changes from ietf-02 to ietf-03 . . . . . . . . . . . . . 16
12.6. changes from ietf-03 to ietf-04 . . . . . . . . . . . . . 17
13. Informative References . . . . . . . . . . . . . . . . . . . . 17 13. Informative References . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction and Problem Statement 1. Introduction and Problem Statement
The Resource reSerVation Protocol [RFC2205] allows hop-by-hop The Resource reSerVation Protocol [RFC2205] allows hop-by-hop
authentication of RSVP neighbors, as specified in [RFC2747]. In this authentication of RSVP neighbors, as specified in [RFC2747]. In this
mode, an integrity object is attached to each RSVP message to mode, an integrity object is attached to each RSVP message to
transmit a keyed message digest. This message digest allows the transmit a keyed message digest. This message digest allows the
recipient to verify the authenticity of the RSVP node that sent the recipient to verify the authenticity of the RSVP node that sent the
message, and to validate the integrity of the message. Through the message, and to validate the integrity of the message. Through the
inclusion of a sequence number in the scope of the digest, the digest inclusion of a sequence number in the scope of the digest, the digest
skipping to change at page 14, line 28 skipping to change at page 14, line 28
| | based keys | | | | based keys | |
+-----------------------------+--------------------+----------------+ +-----------------------------+--------------------+----------------+
| Works intra-domain | Yes | Yes | | Works intra-domain | Yes | Yes |
| Works inter-domain | Yes | No | | Works inter-domain | Yes | No |
| Works over non-RSVP hops | No | Yes (1) | | Works over non-RSVP hops | No | Yes (1) |
| Dynamic keying | Yes (IKE) | Yes (eg GDOI) | | Dynamic keying | Yes (IKE) | Yes (eg GDOI) |
+-----------------------------+--------------------+----------------+ +-----------------------------+--------------------+----------------+
Table 1: Overview of keying approaches and their applicability Table 1: Overview of keying approaches and their applicability
(1): RSVP authentication with group keys works over non-RSVP nodes; (1): RSVP integrity with group keys works over non-RSVP nodes; RSVP
RSVP encryption with IPsec ESP Tunnel mode does not. encryption with ESP and RSVP authentication with AH work over non-
RSVP nodes in 'Tunnel Mode with Address Preservation'; RSVP
encryption with ESP & RSVP authentication with AH do not work over
non-RSVP nodes in 'Tunnel Mode'.
We also make the following observations: We also make the following observations:
o All key types can be used statically, or with dynamic key o All key types can be used statically, or with dynamic key
negotiation. This impacts the managability of the solution, but negotiation. This impacts the managability of the solution, but
not the applicability itself. not the applicability itself.
o For encryption of RSVP messages IPsec ESP in tunnel mode can be o For encryption of RSVP messages IPsec ESP in tunnel mode can be
used. There is however a security concern, see Section 6.2. used. There is however a security concern, see Section 6.2.
o There are some special cases in RSVP, like non-RSVP hosts, the o There are some special cases in RSVP, like non-RSVP hosts, the
"Notify" message (as discussed in section 5.1), the various RSVP "Notify" message (as discussed in section 5.1), the various RSVP
skipping to change at page 17, line 5 skipping to change at page 17, line 5
o Various editorial changes. o Various editorial changes.
12.5. changes from ietf-02 to ietf-03 12.5. changes from ietf-02 to ietf-03
o Extension of section 6.3 (Using IPsec AH), to address comments o Extension of section 6.3 (Using IPsec AH), to address comments
received from Ran Atkinson. Included a comparison of what AH received from Ran Atkinson. Included a comparison of what AH
protects vs what the INTEGRITY object protects. protects vs what the INTEGRITY object protects.
o Added section 6.5 on "tunnel mode with address preservation. o Added section 6.5 on "tunnel mode with address preservation.
o Some minor edits. o Some minor edits.
12.6. changes from ietf-03 to ietf-04
o Added below table 1 in note (1) that "RSVP encryption with ESP and
RSVP authentication with AH work over non-RSVP nodes in 'Tunnel
Mode with Address Preservation'"
13. Informative References 13. Informative References
[I-D.ietf-pcn-architecture] [I-D.ietf-pcn-architecture]
Eardley, P., "Pre-Congestion Notification (PCN) Eardley, P., "Pre-Congestion Notification (PCN)
Architecture", draft-ietf-pcn-architecture-09 (work in Architecture", draft-ietf-pcn-architecture-10 (work in
progress), January 2009. progress), March 2009.
[I-D.ietf-tsvwg-rsvp-proxy-approaches] [I-D.ietf-tsvwg-rsvp-proxy-approaches]
Faucheur, F., Manner, J., Wing, D., and A. Guillou, "RSVP Faucheur, F., Manner, J., Wing, D., and A. Guillou, "RSVP
Proxy Approaches", Proxy Approaches",
draft-ietf-tsvwg-rsvp-proxy-approaches-06 (work in draft-ietf-tsvwg-rsvp-proxy-approaches-06 (work in
progress), October 2008. progress), October 2008.
[I-D.weis-gdoi-mac-tek] [I-D.weis-gdoi-mac-tek]
Weis, B. and S. Rowles, "GDOI Generic Message Weis, B. and S. Rowles, "GDOI Generic Message
Authentication Code Policy", draft-weis-gdoi-mac-tek-00 Authentication Code Policy", draft-weis-gdoi-mac-tek-00
 End of changes. 8 change blocks. 
8 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/