RSVP Security Properties
RFC 4230
Network Working Group H. Tschofenig
Request for Comments: 4230 Siemens
Category: Informational R. Graveman
RFG Security
December 2005
RSVP Security Properties
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document summarizes the security properties of RSVP. The goal
of this analysis is to benefit from previous work done on RSVP and to
capture knowledge about past activities.
Tschofenig & Graveman Informational [Page 1]
RFC 4230 RSVP Security Properties December 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and Architectural Assumptions . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. The RSVP INTEGRITY Object . . . . . . . . . . . . . . 5
3.2. Security Associations . . . . . . . . . . . . . . . . 8
3.3. RSVP Key Management Assumptions . . . . . . . . . . . 8
3.4. Identity Representation . . . . . . . . . . . . . . . 9
3.5. RSVP Integrity Handshake . . . . . . . . . . . . . . 13
4. Detailed Security Property Discussion . . . . . . . . . . . 15
4.1. Network Topology . . . . . . . . . . . . . . . . . . 15
4.2. Host/Router . . . . . . . . . . . . . . . . . . . . . 15
4.3. User to PEP/PDP . . . . . . . . . . . . . . . . . . . 19
4.4. Communication between RSVP-Aware Routers . . . . . . . 28
5. Miscellaneous Issues . . . . . . . . . . . . . . . . . . . . 29
5.1. First-Hop Issue . . . . . . . . . . . . . . . . . . . 30
5.2. Next-Hop Problem . . . . . . . . . . . . . . . . . . . 30
5.3. Last-Hop Issue . . . . . . . . . . . . . . . . . . . 33
5.4. RSVP- and IPsec-protected data traffic . . . . . . . . 34
5.5. End-to-End Security Issues and RSVP . . . . . . . . . 36
5.6. IPsec protection of RSVP signaling messages . . . . . 36
5.7. Authorization . . . . . . . . . . . . . . . . . . . . 37
6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . 38
7. Security Considerations . . . . . . . . . . . . . . . . . . 40
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 40
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.1. Normative References . . . . . . . . . . . . . . . . . 40
9.2. Informative References . . . . . . . . . . . . . . . . 41
A. Dictionary Attacks and Kerberos . . . . . . . . . . . . . . 45
B. Example of User-to-PDP Authentication . . . . . . . . . . . 45
C. Literature on RSVP Security . . . . . . . . . . . . . . . . 46
Tschofenig & Graveman Informational [Page 2]
RFC 4230 RSVP Security Properties December 2005
1. Introduction
As the work of the NSIS working group began, concerns about security
and its implications for the design of a signaling protocol were
raised. In order to understand the security properties and available
options of RSVP, a number of documents have to be read. This
document summarizes the security properties of RSVP and is part of
the overall process of analyzing other signaling protocols and
learning from their design considerations. This document should also
provide a starting point for further discussions.
The content of this document is organized as follows. Section 2
introduces the terminology used throughout the document. Section 3
provides an overview of the security mechanisms provided by RSVP
including the INTEGRITY object, a description of the identity
representation within the POLICY_DATA object (i.e., user
authentication), and the RSVP Integrity Handshake mechanism. Section
4 provides a more detailed discussion of the mechanisms used and
tries to describe in detail the mechanisms provided. Several
miscellaneous issues are covered in Section 5.
RSVP also supports multicast, but this document does not address
security aspects for supporting multicast QoS signaling. Multicast
is currently outside the scope of the NSIS working group.
Although a variation of RSVP, namely RSVP-TE, is used in the context
of MPLS to distribute labels for a label switched path, its usage is
different from the usage scenarios envisioned for NSIS. Hence, this
document does not address RSVP-TE or its security properties.
Show full document text