[Tsvwg] Comments at IETF74 regarding draft-ietf-tsvwg-rsvp-security-groupkeying-04
"Michael Behringer (mbehring)" <mbehring@cisco.com> Tue, 14 April 2009 21:08 UTC
Return-Path: <mbehring@cisco.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03EBE3A695B for <tsvwg@core3.amsl.com>; Tue, 14 Apr 2009 14:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1HiH0eCBU7O for <tsvwg@core3.amsl.com>; Tue, 14 Apr 2009 14:08:41 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id C009C3A67A8 for <tsvwg@ietf.org>; Tue, 14 Apr 2009 14:08:40 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.40,187,1238976000"; d="scan'208";a="38296288"
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 14 Apr 2009 21:09:44 +0000
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n3EL9iTk006375; Tue, 14 Apr 2009 23:09:44 +0200
Received: from xbh-ams-332.emea.cisco.com (xbh-ams-332.cisco.com [144.254.231.87]) by ams-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n3EL9hIJ009098; Tue, 14 Apr 2009 21:09:43 GMT
Received: from xmb-ams-335.cisco.com ([144.254.231.80]) by xbh-ams-332.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Apr 2009 23:09:43 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 14 Apr 2009 23:09:40 +0200
Message-ID: <DD0238A0AAE9B74A8F70A91BDF497C2F052CC8C7@xmb-ams-335.emea.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comments at IETF74 regarding draft-ietf-tsvwg-rsvp-security-groupkeying-04
Thread-Index: Acm9RVNdkeEO+nTLRV6oKrN8sQalWQ==
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
X-OriginalArrivalTime: 14 Apr 2009 21:09:43.0937 (UTC) FILETIME=[555DBF10:01C9BD45]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2035; t=1239743384; x=1240607384; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mbehring@cisco.com; z=From:=20=22Michael=20Behringer=20(mbehring)=22=20<mbehring @cisco.com> |Subject:=20Comments=20at=20IETF74=20regarding=20draft-ietf -tsvwg-rsvp-security-groupkeying-04 |Sender:=20; bh=92aDsN/G3DgcG5NTBfkxqnsYOEKJUM2R8dVHEkNDzr4=; b=mmgOgT8VSjWCOMygJexlK5b6KGsgxF72ZOBY8wUANhaqBm1M23USB8H95A Ydphm+m7pWyvRN+xwkZOBHhCtp0eX7b0vdkKRvl4m7GXKkParOJG40dvlPXF XxPCwd5o3A;
Authentication-Results: ams-dkim-2; header.From=mbehring@cisco.com; dkim=pass ( sig from cisco.com/amsdkim2001 verified; );
Cc: tsvwg@ietf.org
Subject: [Tsvwg] Comments at IETF74 regarding draft-ietf-tsvwg-rsvp-security-groupkeying-04
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2009 21:08:42 -0000
Bob, At the last IETF you made a comment at the microphone regarding http://tools.ietf.org/html/draft-ietf-tsvwg-rsvp-security-groupkeying I wasn't there personally, but I believe your comment was along the lines: "tunnel mode with address preservation is subject to change of the outer address (like we pointed out for tunnel mode already), and this should be mentioned explicitly." Do I capture your comment / suggestion correctly? If so, would the following change in section 6.6 address your comment, or is it too simplistic? (suggested changes marked with ***) -- 6.6. Applicability of Tunnel Mode with Address Preservation The document "Multicast Extensions to the Security Architecture for the Internet Protocol" [RFC5374] defines in section 3.1 a new tunnel mode: Tunnel mode with address preservation. This mode copies the destination and optionally the source address from the inner header to the outer header. Therefore the encapsulated packet will have the same destination address as the original packet, and be normally subject to the same routing decisions. While [RFC5374] is focusing on multicast environments, tunnel mode with address preservation can be used also to protect unicast traffic in conjunction with group keying. Tunnel mode with address preservation, in conjunction with group keying, allows the use of IPsec AH or ESP for protection of RSVP even in cases where non-RSVP nodes have to be traversed. This is because it allows routing of the IPsec protected packet through the non-RSVP nodes in the same way as if it was not IPsec protected. ***Note that IPsec tunnel mode with address preservation is also susceptible to the man-in-the-middle attack described in section 6.2, since the outer header is not protected. This is a property of IPsec tunnel mode; address-preservation does not change this property. -- Thanks for your help in reviewing this document! Michael
- [Tsvwg] Comments at IETF74 regarding draft-ietf-t… Michael Behringer (mbehring)
- Re: [Tsvwg] Comments at IETF74 regarding draft-ie… Bob Briscoe