RE: Policy control for RSVP

["Hannes Tschofenig" <Hannes.Tschofenig@mchp.siemens.de>]

# hi kaustubh, hi paolo!

# from a security perspective access control (access authorization) at the
first hop router is provided by
# a previous registration to the network e.g.
# - authentication at layer 2 e.g. as provided by wireless lan (via eap)
# - AAA (radius, diameter)

# this registration is finished before the actual qos signaling took place.
# furthermore there is the rsvp integrity object which provides host-based
# authentication.

# hence a denial of service attack is difficult if the sender of the rsvp
message is
# authenticated. every time a path or a rsvp message is sent from the user
to the first
# hop router a policy object should! be included to allow policy based
admission control. this allows
# authenticating the user at the pep or pdp, authorization of the request
# and possibly an accounting procedure to be triggered.

# in my opinion both the path and resv message (transmitted by the user's
host) should include a policy element.

# what do you think?

# ciao
# hannes

Hi! Paolo,

	Thanks for your reply. Yes, I just wanted to confirm/compare the
trade-offs and implications of doing or not doing access authorization for
the PATH message. The main driving factor of doing this mainly looks to
be more of a security stand-point (denial of service etc.) than
QoS or resource reservation itself, since the bandwidth reservation and
connection set-up is not complete anyway till the RESV message gets back
to the sender.

Thank you
regards
Kaustubh