IETF Logo Mail Archive

Re: [dtn-interest] Comments on RFC 5050

Michael Noisternig <michael.noisternig@cased.de> Mon, 24 June 2013 19:03 UTC

Return-Path: <michael.noisternig@cased.de>
X-Original-To: dtn-interest@ietfa.amsl.com
Delivered-To: dtn-interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECAAD11E817C for <dtn-interest@ietfa.amsl.com>; Mon, 24 Jun 2013 12:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.249
X-Spam-Level:
X-Spam-Status: No, score=-3.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCN0saHjRFix for <dtn-interest@ietfa.amsl.com>; Mon, 24 Jun 2013 12:03:36 -0700 (PDT)
Received: from lnx500.hrz.tu-darmstadt.de (lnx500.hrz.tu-darmstadt.de [130.83.156.225]) by ietfa.amsl.com (Postfix) with ESMTP id 583D511E816F for <dtn-interest@irtf.org>; Mon, 24 Jun 2013 12:03:35 -0700 (PDT)
Received: from mail.cased.de (mail.cased.de [130.83.33.42]) by lnx500.hrz.tu-darmstadt.de (8.14.4/8.14.4/HRZ/PMX) with ESMTP id r5OJ3YRc020233 for <dtn-interest@irtf.org>; Mon, 24 Jun 2013 21:03:34 +0200 (envelope-from michael.noisternig@cased.de)
Received: from [192.168.178.20] (drms-590c483a.pool.mediaWays.net [89.12.72.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.cased.de (Postfix) with ESMTPSA id E9DD147A072 for <dtn-interest@irtf.org>; Mon, 24 Jun 2013 21:03:33 +0200 (CEST)
Message-ID: <51C89801.20004@cased.de>
Date: Mon, 24 Jun 2013 21:03:29 +0200
From: Michael Noisternig <michael.noisternig@cased.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: dtn-interest@irtf.org
References: <51C0239C.5080104@cased.de> <A5BEAD028815CB40A32A5669CF737C3B235FFDAC@ap-embx-sp40.RES.AD.JPL> <51C81350.1000606@cased.de> <CAB9rx+9Y3rXvytmk9bW-fbzOz=eL+UBntcuzkS_Mn7T9V0wW3Q@mail.gmail.com>
In-Reply-To: <CAB9rx+9Y3rXvytmk9bW-fbzOz=eL+UBntcuzkS_Mn7T9V0wW3Q@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-PMX-TU: seen v1.2 by 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.6.24.185423
X-PMX-RELAY: outgoing
Subject: Re: [dtn-interest] Comments on RFC 5050
X-BeenThere: dtn-interest@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Announce." <dtn-interest.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-interest>, <mailto:dtn-interest-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-interest>
List-Post: <mailto:dtn-interest@irtf.org>
List-Help: <mailto:dtn-interest-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2013 19:03:43 -0000

Am 24.06.2013 20:48, schrieb Amy Alford:
>
>         4.7. Dictionary Revision:
>         "Any [unreferenced] strings (scheme names and SSPs) in a bundle's
>         dictionary ... may be removed from the
>               dictionary at the time the bundle is forwarded."
>         ...subject to that authenticity is not lost.
>
>            * Yes, but that’s implicit.  Strings that are needed in order to
>
>              verify authenticity are referenced, so they can’t be
>         removed from
>              the dictionary.
>
>
>     Could it happen that some extension block be processed, removed and
>     its EID references removed by some intermediate node on a security
>     path? I am still trying to figure out what is possible with the
>     current security spec.
>
> Yes.  Talking through a specific example is probably the best way to
> clarify this.  Suppose we have a very boring network of:
>
> Node A --- Node B --- Node C --- Node D
>
> Node A sends a bundle to node D, with a PIB block with security source
> of node A and security destination of node D.  Node B can add a PIB
> block with security source node B and security destination node C.  When
> node C removes the PIB block destined for node C, it may change the
> dictionary.  But, it would change it back to its state at the time the
> first PIB was calculated.
>
> In any event, PIBs don't cover the dictionary (only the specific entries
> being used in the blocks covered by the PIB).  BABs cover the
> dictionary, but are always the last security block added and first
> removed.  The only time dictionary changes would invalidate a BAB are if
> the dictionary was modified at a non security aware node.  However, if
> the dictionary was being modified because of a change to an extension
> block, that would invalidate the BAB anyway.  The only dictionary
> changes that would invalidate a PIB are gratuitous changes to case
> insensitive fields.
>
> - Amy

Ah, I missed that the PIB does not protect the complete dictionary. 
Otherwise, I was more thinking about partially overlapping paths. 
Something like where Node A adds some (non-security) extension block 
together with some new dictionary entry, both to be processed and 
removed by Node C, whereas Node B adds a PIB to be consumed by Node D.

But what about dictionary entries by non-primary blocks? How are they 
being protected end-to-end?

Michael

v2.23.0 | Report a Bug | By Email