Re: [dtn-interest] Comments on RFC 5050
Michael Noisternig <michael.noisternig@cased.de> Tue, 25 June 2013 09:47 UTC
Return-Path: <michael.noisternig@cased.de>
X-Original-To: dtn-interest@ietfa.amsl.com
Delivered-To: dtn-interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C01521F9FC4 for <dtn-interest@ietfa.amsl.com>; Tue, 25 Jun 2013 02:47:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.862
X-Spam-Level:
X-Spam-Status: No, score=-2.862 tagged_above=-999 required=5 tests=[AWL=0.387, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QOraYUQaokZ for <dtn-interest@ietfa.amsl.com>; Tue, 25 Jun 2013 02:47:14 -0700 (PDT)
Received: from lnx503.hrz.tu-darmstadt.de (lnx503.hrz.tu-darmstadt.de [130.83.156.232]) by ietfa.amsl.com (Postfix) with ESMTP id 2CCF921F9F08 for <dtn-interest@irtf.org>; Tue, 25 Jun 2013 02:47:12 -0700 (PDT)
Received: from mail.cased.de (mail.cased.de [130.83.33.42]) by lnx503.hrz.tu-darmstadt.de (8.14.4/8.14.4/HRZ/PMX) with ESMTP id r5P9l99N027670 for <dtn-interest@irtf.org>; Tue, 25 Jun 2013 11:47:09 +0200 (envelope-from michael.noisternig@cased.de)
Received: from [130.83.33.155] (cased155.cased.tu-darmstadt.de [130.83.33.155]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.cased.de (Postfix) with ESMTPSA id 5F48941A11F for <dtn-interest@irtf.org>; Tue, 25 Jun 2013 11:47:09 +0200 (CEST)
Message-ID: <51C96719.5080003@cased.de>
Date: Tue, 25 Jun 2013 11:47:05 +0200
From: Michael Noisternig <michael.noisternig@cased.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: dtn-interest@irtf.org
References: <51C0239C.5080104@cased.de> <A5BEAD028815CB40A32A5669CF737C3B235FFDAC@ap-embx-sp40.RES.AD.JPL> <51C81350.1000606@cased.de> <CAB9rx+9Y3rXvytmk9bW-fbzOz=eL+UBntcuzkS_Mn7T9V0wW3Q@mail.gmail.com> <51C89801.20004@cased.de> <CAB9rx+-tHKKOuUTyudxdZRcWv2ev39jRDDW1hQLZ4=VqzFfeuw@mail.gmail.com>
In-Reply-To: <CAB9rx+-tHKKOuUTyudxdZRcWv2ev39jRDDW1hQLZ4=VqzFfeuw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-PMX-TU: seen v1.2 by 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.6.25.93919
X-PMX-RELAY: outgoing
Subject: Re: [dtn-interest] Comments on RFC 5050
X-BeenThere: dtn-interest@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Announce." <dtn-interest.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-interest>, <mailto:dtn-interest-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-interest>
List-Post: <mailto:dtn-interest@irtf.org>
List-Help: <mailto:dtn-interest-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 09:47:19 -0000
Thank you, Amy, for your detailed answer! Michael Am 24.06.2013 21:14, schrieb Amy Alford: > If you replaced PIB with BAB in your scenario, authentication would > fail. However, this could only occur if node C is non-security aware. > > Dictionary entries in extension blocks aren't protected by PIB or PCB. > An ESB ciphersuite that provided integrity would protect any extension > block it was applied to. There isn't a PIB equivalent for extension > blocks (if there were, it would be what you would use to protect > dictionary entries for an extension block (as well as the block > contents)). A revision to 6257 will probably provide a PIB equivalent > for extension blocks. > > > > On Mon, Jun 24, 2013 at 3:03 PM, Michael Noisternig > <michael.noisternig@cased.de <mailto:michael.noisternig@cased.de>> wrote: > > Am 24.06.2013 20:48, schrieb Amy Alford: > > > 4.7. Dictionary Revision: > "Any [unreferenced] strings (scheme names and SSPs) in > a bundle's > dictionary ... may be removed from the > dictionary at the time the bundle is forwarded." > ...subject to that authenticity is not lost. > > * Yes, but that’s implicit. Strings that are needed > in order to > > verify authenticity are referenced, so they can’t be > removed from > the dictionary. > > > Could it happen that some extension block be processed, > removed and > its EID references removed by some intermediate node on a > security > path? I am still trying to figure out what is possible with the > current security spec. > > Yes. Talking through a specific example is probably the best way to > clarify this. Suppose we have a very boring network of: > > Node A --- Node B --- Node C --- Node D > > Node A sends a bundle to node D, with a PIB block with security > source > of node A and security destination of node D. Node B can add a PIB > block with security source node B and security destination node > C. When > node C removes the PIB block destined for node C, it may change the > dictionary. But, it would change it back to its state at the > time the > first PIB was calculated. > > In any event, PIBs don't cover the dictionary (only the specific > entries > being used in the blocks covered by the PIB). BABs cover the > dictionary, but are always the last security block added and first > removed. The only time dictionary changes would invalidate a > BAB are if > the dictionary was modified at a non security aware node. > However, if > the dictionary was being modified because of a change to an > extension > block, that would invalidate the BAB anyway. The only dictionary > changes that would invalidate a PIB are gratuitous changes to case > insensitive fields. > > - Amy > > > Ah, I missed that the PIB does not protect the complete dictionary. > Otherwise, I was more thinking about partially overlapping paths. > Something like where Node A adds some (non-security) extension block > together with some new dictionary entry, both to be processed and > removed by Node C, whereas Node B adds a PIB to be consumed by Node D. > > But what about dictionary entries by non-primary blocks? How are > they being protected end-to-end? > > Michael > > _________________________________________________ > dtn-interest mailing list > dtn-interest@irtf.org <mailto:dtn-interest@irtf.org> > https://www.irtf.org/mailman/__listinfo/dtn-interest > <https://www.irtf.org/mailman/listinfo/dtn-interest> > > > > > _______________________________________________ > dtn-interest mailing list > dtn-interest@irtf.org > https://www.irtf.org/mailman/listinfo/dtn-interest >
- [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Amy Alford
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Burleigh, Scott C (313B)
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Burleigh, Scott C (313B)
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Amy Alford
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Amy Alford
- [dtn-interest] Re(2): Comments on RFC 5050 Peter Lovell
- Re: [dtn-interest] Re(2): Comments on RFC 5050 Amy Alford
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig