RSVP Security Properties
RFC 4230
Document Type RFC - Informational (December 2005; Errata)
Authors Richard Graveman  , Hannes Tschofenig 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4230 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Allison Mankin
Send notices to john.loughney@nokia.com
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                      H. Tschofenig
Request for Comments: 4230                                       Siemens
Category: Informational                                      R. Graveman
                                                            RFG Security
                                                           December 2005

                        RSVP Security Properties

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document summarizes the security properties of RSVP.  The goal
   of this analysis is to benefit from previous work done on RSVP and to
   capture knowledge about past activities.

Tschofenig & Graveman        Informational                      [Page 1]
RFC 4230                RSVP Security Properties           December 2005

Table of Contents

   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.   Terminology and Architectural Assumptions  . . . . . . . . .   3
   3.   Overview . . . . . . . . . . . . . . . . . . . . . . . . . .   5
        3.1.  The RSVP INTEGRITY Object  . . . . . . . . . . . . . .   5
        3.2.  Security Associations  . . . . . . . . . . . . . . . .   8
        3.3.  RSVP Key Management Assumptions  . . . . . . . . . . .   8
        3.4.  Identity Representation  . . . . . . . . . . . . . . .   9
        3.5.  RSVP Integrity Handshake   . . . . . . . . . . . . . .  13
   4.   Detailed Security Property Discussion  . . . . . . . . . . .  15
        4.1.  Network Topology   . . . . . . . . . . . . . . . . . .  15
        4.2.  Host/Router  . . . . . . . . . . . . . . . . . . . . .  15
        4.3.  User to PEP/PDP  . . . . . . . . . . . . . . . . . . .  19
        4.4.  Communication between RSVP-Aware Routers . . . . . . .  28
   5.   Miscellaneous Issues . . . . . . . . . . . . . . . . . . . .  29
        5.1.  First-Hop Issue  . . . . . . . . . . . . . . . . . . .  30
        5.2.  Next-Hop Problem . . . . . . . . . . . . . . . . . . .  30
        5.3.  Last-Hop Issue   . . . . . . . . . . . . . . . . . . .  33
        5.4.  RSVP- and IPsec-protected data traffic . . . . . . . .  34
        5.5.  End-to-End Security Issues and RSVP  . . . . . . . . .  36
        5.6.  IPsec protection of RSVP signaling messages  . . . . .  36
        5.7.  Authorization  . . . . . . . . . . . . . . . . . . . .  37
   6.   Conclusions  . . . . . . . . . . . . . . . . . . . . . . . .  38
   7.   Security Considerations  . . . . . . . . . . . . . . . . . .  40
   8.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  40
   9.   References . . . . . . . . . . . . . . . . . . . . . . . . .  40
        9.1.  Normative References . . . . . . . . . . . . . . . . .  40
        9.2.  Informative References . . . . . . . . . . . . . . . .  41
   A.   Dictionary Attacks and Kerberos  . . . . . . . . . . . . . .  45
   B.   Example of User-to-PDP Authentication  . . . . . . . . . . .  45
   C.   Literature on RSVP Security  . . . . . . . . . . . . . . . .  46

Tschofenig & Graveman        Informational                      [Page 2]
RFC 4230                RSVP Security Properties           December 2005

1.  Introduction

   As the work of the NSIS working group began, concerns about security
   and its implications for the design of a signaling protocol were
   raised.  In order to understand the security properties and available
   options of RSVP, a number of documents have to be read.  This
   document summarizes the security properties of RSVP and is part of
   the overall process of analyzing other signaling protocols and
   learning from their design considerations.  This document should also
   provide a starting point for further discussions.

   The content of this document is organized as follows.  Section 2
   introduces the terminology used throughout the document.  Section 3
   provides an overview of the security mechanisms provided by RSVP
   including the INTEGRITY object, a description of the identity
   representation within the POLICY_DATA object (i.e., user
   authentication), and the RSVP Integrity Handshake mechanism.  Section
   4 provides a more detailed discussion of the mechanisms used and
   tries to describe in detail the mechanisms provided.  Several
   miscellaneous issues are covered in Section 5.

   RSVP also supports multicast, but this document does not address
   security aspects for supporting multicast QoS signaling.  Multicast
   is currently outside the scope of the NSIS working group.

   Although a variation of RSVP, namely RSVP-TE, is used in the context
   of MPLS to distribute labels for a label switched path, its usage is
   different from the usage scenarios envisioned for NSIS.  Hence, this
   document does not address RSVP-TE or its security properties.
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools