IETF Logo Mail Archive

Re: [tsvwg] New rev of IntServ MULTI_TSPEC

Lars Eggert <lars.eggert@nokia.com> Mon, 27 July 2009 08:31 UTC

Return-Path: <lars.eggert@nokia.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3118F28C13F for <tsvwg@core3.amsl.com>; Mon, 27 Jul 2009 01:31:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqNSEfUDqELz for <tsvwg@core3.amsl.com>; Mon, 27 Jul 2009 01:31:39 -0700 (PDT)
Received: from mail.fit.nokia.com (mail.fit.nokia.com [195.148.124.195]) by core3.amsl.com (Postfix) with ESMTP id 3464D3A68CF for <tsvwg@ietf.org>; Mon, 27 Jul 2009 01:31:39 -0700 (PDT)
Received: from [IPv6:2001:df8::80:225:ff:fe45:eccf] ([IPv6:2001:df8:0:80:225:ff:fe45:eccf]) (authenticated bits=0) by mail.fit.nokia.com (8.14.3/8.14.3) with ESMTP id n6R8VRgc063120 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 27 Jul 2009 11:31:28 +0300 (EEST) (envelope-from lars.eggert@nokia.com)
Message-Id: <FBA51016-DCA9-4DA2-AAFE-26390AD33A7F@nokia.com>
From: Lars Eggert <lars.eggert@nokia.com>
To: Francois Le Faucheur IMAP <flefauch@cisco.com>
In-Reply-To: <B988E5CF-DBF4-4B93-B58F-B521A108570B@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail-95--206657258"; micalg="sha1"; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Mon, 27 Jul 2009 10:31:22 +0200
References: <XFE-SJC-212USp3sJWG000080ba@xfe-sjc-212.amer.cisco.com> <3C1F86AD-D81E-4816-9D5F-CC8065B17545@nokia.com> <260B5715-2DA4-47FE-88E3-158F94FDA5FF@cisco.com> <57C993B8-B0AE-4C46-B54D-C6F883D0844D@nokia.com> <XFE-SJC-212AJNACcKl00009d8b@xfe-sjc-212.amer.cisco.com> <B988E5CF-DBF4-4B93-B58F-B521A108570B@cisco.com>
X-Mailer: Apple Mail (2.935.3)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (mail.fit.nokia.com [IPv6:2001:2060:40:1::123]); Mon, 27 Jul 2009 11:31:29 +0300 (EEST)
Cc: "James M. Polk" <jmpolk@cisco.com>, tsvwg <tsvwg@ietf.org>
Subject: Re: [tsvwg] New rev of IntServ MULTI_TSPEC
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2009 08:31:40 -0000

Hi,

the text below looks OK, but I really believe this needs to be a MUST  
here, because of the additional attack angle.

Lars

On 2009-7-27, at 10:00, Francois Le Faucheur IMAP wrote:
> FYI, after going through similar discussions as part of the AD review
> of draft-ietf-tsvwg-rsvp-l3vpn, we agreed to include the following
> text in the Security Considerations section:
>
> " To ensure the integrity of RSVP, the RSVP Authentication mechanisms
> defined in [RFC2747] and [RFC3097] SHOULD be used. Those protect RSVP
> message integrity hop-by-hop and provide node authentication as well
> as replay protection, thereby protecting against corruption and
> spoofing of RSVP messages."
>
> I suggest you include same or similar text.
>
> BTW, there may be more text from the security considerations of draft-
> ietf-tsvwg-rsvp-l3vpn that may be worth considering.

v2.23.0 | Report a Bug | By Email