Security

There must be a secure way to prove to a QoS ACS server that an RSVP message is from a valid user in a trusted Windows 2000 domain. The message must contain the name of the user and the information must be cryptographically hashed by an entity that the QoS ACS trusts. Kerberos tickets are inserted into RSVP messages for this purpose.

The RSVP SP on a host, using the Kerberos Key Distribution Center (KDC) in the domain, can construct a one-way Kerberos ticket containing the identity of the user, a session key for the QoS ACS and a lifetime for the ticket. The ticket is encrypted with a shared key known by the KDC and the QoS ACS. The QoS ACS server uses the shared key to decrypt the ticket and get the session key, subsequently checking the cryptographic hash to make sure the RSVP policy object is genuine and has not been modified. This method also protects against ticket reuse via the cut-and-paste method.

An invalid Kerberos ticket causes an error log entry and a PATH-ERR or RESV-ERR message to be sent back to the originator. QoS ACS servers can be configured to generate network management alerts (SNMP traps) in such an event. For more information about SNMP, see "Simple Network Management Protocol" in this book.

© 1985-2000 Microsoft Corporation. All rights reserved.