RSVP Domain of Interpretation for ISAKMP drafttschofenigrsvpdoi00.txt - PowerPoint PPT Presentation

1 / 6
About This Presentation
Title:

RSVP Domain of Interpretation for ISAKMP drafttschofenigrsvpdoi00.txt

Description:

reuses known key management protocols (IKE and KINK) ... IKE / KINK. with RSVP DoI. 2. Authentication and. key exchange * 3. 5. 4 ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 7
Provided by: hannests
Category:

less

Transcript and Presenter's Notes

Title: RSVP Domain of Interpretation for ISAKMP drafttschofenigrsvpdoi00.txt


1
RSVP Domain of Interpretation for ISAKMP
(draft-tschofenig-rsvp-doi-00.txt)
  • Authors
  • Hannes Tschofenig
  • Henning Schulzrinne

2
The Problem
  • There is no dynamic key management for the RSVP
    Integrity Object.
  • Adding authentication and key exchange protocols
    to RSVP itself requires modifications to the RSVP
    protocol (e.g. new messages, different RSVP
    message handling, fragmentation handling, etc.)

3
Proposal
  • Separate the two security protocols
  • Authentication and key establishment
  • RSVP signaling message protection (data origin
    authentication, integrity and replay protection)
  • Current draft leaves RSVP Integrity Object as it
    is (although we see room for improvement)
  • Proposal
  • allows incremental deployment (use dynamic key
    management where necessary keep the rest with
    statically configured keys)
  • reuses known key management protocols (IKE and
    KINK)
  • is primarily targeted for intra- and inter-domain
    RSVP signaling

4
How does it work?
  • The ISAKMP framework allows IKE not only to
    establish IPsec SAs but also other security
    associations.
  • Although rarely used in the past a few proposals
    have been published
  • MAP (see draft-arkko-map-doi-07.txt)
  • SMPLS (see draft-tsenevir-smpls-doi-01.txt)
  • GKMP
  • The RSVP DoI draft therefore defines which
    parameters have to be exchanged in order to
    create a security association for the usage with
    RSVP (and the RSVP Integrity Object in
    particular).

5
Message Flow


1
9
RSVP Module
RSVP Module
Key Engine
Key Engine
8
7
10
2
6
4
3
IKE / KINK with RSVP DoI
IKE / KINK with RSVP DoI
Authentication and key exchange
5
RSVP Router A
RSVP Router B
simplified requires more roundtrips
Message flow covers the case where no appropriate
security association is available. The key
engine triggers the key management to create one.
Note that most communication is API specific and
does not require protocol interaction between the
RSVP nodes.
6
Next steps
  • Working on the draft we identified some open
    issues
  • Identities used in the Identification payload
    require more details
  • REPLAY-STATUS notification
  • authorization and access control (for the given
    usage environment)
  • Currently the document does not address
  • protection of multicast RSVP signaling messages
  • confidentiality protection
Write a Comment
User Comments (0)
About PowerShow.com