The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2001-Apr> msg00076



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RE: RSVP-TE and IPSEC

  • From: "Donkin, Richard" <rdonkin@orchestream.com>
  • Date: Thu, 19 Apr 2001 18:35:14 +0100
  • Resent-Date: Thu, 19 Apr 2001 16:01:23 -0400
  • To: "'Srihari Raghavan'" <sraghava@vt.edu>, mpls-ops@mplsrc.com


> -----Original Message-----
> From: Srihari Raghavan [mailto:sraghava@vt.edu]
> Sent: 08 April 2001 20:18
> To: mpls-ops@mplsrc.com
> Subject: RSVP-TE and IPSEC
> 
> 
> Hi all,
>   I read somewhere that IPSEC cannot be used with RSVP-TE due 
> to the need for the intermediate LSRs to access information in the Path 
> messages. Is this any true?

IPSec is just like any other traffic carried over an MPLS network, there is
no need to inspect it except perhaps to assign it to a CoS level, which
would happen in IP mode, most likely at the CE, which may well be the IPSec
gateway in which case the unencrypted traffic can be used for classification
and marking the DiffServ codepoint.  This is true whether RSVP-TE is used or
not in creating MPLS LSPs.

This may be a somewhat garbled version of 'RSVP can't be used with IPSec' -
i.e. flow-based QoS using RSVP signalled from hosts, not the RSVP-TE variant
that is used between routers.  RSVP initially only supported use of IP
addresses, port numbers and IP protocol to classify traffic - so, since
IPSec encrypts the port number information, it was not possible to classify
on this.  However, there is an RFC
(http://community.roxen.com/developers/idocs/rfc/rfc2207.html) suggesting
extensions to RSVP that would allow the RSVP-signalling host to specify the
IPSec SPI (security parameters index, i.e. per-IPSec security association)
to be used instead of the port numbers.  The SPI is visible to the
RSVP-aware routers, so they are able to classify IPSec flows just like
unencrypted TCP/UDP flows.

Richard

> 
> Thanks in advance
> 
> Srihari Raghavan
> Graduate Student
> Dept. of Computer Science
> Virginia Tech
> =========================
> 
> -------
> The MPLS-OPS Mailing List
> Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
> 


--
This communication contains confidential information intended solely for the use of the individual/s and/or entity or entities to whom it was intended to be addressed.  If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this transmission is prohibited.  If you have received this communication in error, please contact the sender immediately, delete this communication from your system, and do not disclose its contents to any third party, or use its contents.  Any opinions expressed are solely those of the author and do not necessarily represent those of Orchestream Ltd or its group of companies unless otherwise specifically stated.

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml