Re: [dtn-interest] Comments on RFC 5050
Amy Alford <aloomis@sarn.org> Mon, 24 June 2013 19:14 UTC
Return-Path: <aloomis@sarn.org>
X-Original-To: dtn-interest@ietfa.amsl.com
Delivered-To: dtn-interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFE1D21E8160 for <dtn-interest@ietfa.amsl.com>; Mon, 24 Jun 2013 12:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.144
X-Spam-Level:
X-Spam-Status: No, score=-1.144 tagged_above=-999 required=5 tests=[AWL=-0.833, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-JwBIK7+NDK for <dtn-interest@ietfa.amsl.com>; Mon, 24 Jun 2013 12:14:04 -0700 (PDT)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id D45E121E8159 for <dtn-interest@irtf.org>; Mon, 24 Jun 2013 12:14:03 -0700 (PDT)
Received: by mail-ob0-f179.google.com with SMTP id xk17so11232335obc.10 for <dtn-interest@irtf.org>; Mon, 24 Jun 2013 12:14:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=MDFo3MBWmB8Tlce4P8pR34yP9fNvAorxh90HKfqpaYk=; b=npSxcZIgWMepXbLvEC9663qroDUji29i9CKAPg1yMt9f439ws4I/hbWuAFhT81a27i ksJ7t3RRCt1jxaeuRXGC1F9pzv4ENRhtH+/Yotq1fX3ibomsR7ANcJPZ9FmIzZ5cbKz+ ++j0Hg1ozOgxHXz9T+QY7VKVdR2qglEW53e6WgtyfdJP4nS8a6wObH4dT5P3dslL6OM/ ud5LCAt8sNzj+xDlmmo2Uz7gMTR5E4HIFD9bLlhmyc2k/zG98vmetzZUieOO8r5Hp3zt kRkckrcA9g92Gv8PVzp+FAsOXq374UnUF6Yz7YpBRBVZONZruCNWghEK9tWyfHjYFbgp D6Gw==
MIME-Version: 1.0
X-Received: by 10.60.117.41 with SMTP id kb9mr4337323oeb.33.1372101243300; Mon, 24 Jun 2013 12:14:03 -0700 (PDT)
Received: by 10.182.102.201 with HTTP; Mon, 24 Jun 2013 12:14:03 -0700 (PDT)
In-Reply-To: <51C89801.20004@cased.de>
References: <51C0239C.5080104@cased.de> <A5BEAD028815CB40A32A5669CF737C3B235FFDAC@ap-embx-sp40.RES.AD.JPL> <51C81350.1000606@cased.de> <CAB9rx+9Y3rXvytmk9bW-fbzOz=eL+UBntcuzkS_Mn7T9V0wW3Q@mail.gmail.com> <51C89801.20004@cased.de>
Date: Mon, 24 Jun 2013 15:14:03 -0400
Message-ID: <CAB9rx+-tHKKOuUTyudxdZRcWv2ev39jRDDW1hQLZ4=VqzFfeuw@mail.gmail.com>
From: Amy Alford <aloomis@sarn.org>
To: Michael Noisternig <michael.noisternig@cased.de>
Content-Type: multipart/alternative; boundary="047d7b414e283422c004dfeb37ee"
X-Gm-Message-State: ALoCoQloxJKxdyBdVM+Jc7NDfiGkUhHSXYhoGXlkHWpEBNaeMHV72z/U5dmOGunc4WuvyZKOCE1U
Cc: dtn-interest@irtf.org
Subject: Re: [dtn-interest] Comments on RFC 5050
X-BeenThere: dtn-interest@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Announce." <dtn-interest.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-interest>, <mailto:dtn-interest-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-interest>
List-Post: <mailto:dtn-interest@irtf.org>
List-Help: <mailto:dtn-interest-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2013 19:14:05 -0000
If you replaced PIB with BAB in your scenario, authentication would fail. However, this could only occur if node C is non-security aware. Dictionary entries in extension blocks aren't protected by PIB or PCB. An ESB ciphersuite that provided integrity would protect any extension block it was applied to. There isn't a PIB equivalent for extension blocks (if there were, it would be what you would use to protect dictionary entries for an extension block (as well as the block contents)). A revision to 6257 will probably provide a PIB equivalent for extension blocks. On Mon, Jun 24, 2013 at 3:03 PM, Michael Noisternig < michael.noisternig@cased.de> wrote: > Am 24.06.2013 20:48, schrieb Amy Alford: > > >> 4.7. Dictionary Revision: >> "Any [unreferenced] strings (scheme names and SSPs) in a bundle's >> dictionary ... may be removed from the >> dictionary at the time the bundle is forwarded." >> ...subject to that authenticity is not lost. >> >> * Yes, but that’s implicit. Strings that are needed in order >> to >> >> verify authenticity are referenced, so they can’t be >> removed from >> the dictionary. >> >> >> Could it happen that some extension block be processed, removed and >> its EID references removed by some intermediate node on a security >> path? I am still trying to figure out what is possible with the >> current security spec. >> >> Yes. Talking through a specific example is probably the best way to >> clarify this. Suppose we have a very boring network of: >> >> Node A --- Node B --- Node C --- Node D >> >> Node A sends a bundle to node D, with a PIB block with security source >> of node A and security destination of node D. Node B can add a PIB >> block with security source node B and security destination node C. When >> node C removes the PIB block destined for node C, it may change the >> dictionary. But, it would change it back to its state at the time the >> first PIB was calculated. >> >> In any event, PIBs don't cover the dictionary (only the specific entries >> being used in the blocks covered by the PIB). BABs cover the >> dictionary, but are always the last security block added and first >> removed. The only time dictionary changes would invalidate a BAB are if >> the dictionary was modified at a non security aware node. However, if >> the dictionary was being modified because of a change to an extension >> block, that would invalidate the BAB anyway. The only dictionary >> changes that would invalidate a PIB are gratuitous changes to case >> insensitive fields. >> >> - Amy >> > > Ah, I missed that the PIB does not protect the complete dictionary. > Otherwise, I was more thinking about partially overlapping paths. Something > like where Node A adds some (non-security) extension block together with > some new dictionary entry, both to be processed and removed by Node C, > whereas Node B adds a PIB to be consumed by Node D. > > But what about dictionary entries by non-primary blocks? How are they > being protected end-to-end? > > Michael > > ______________________________**_________________ > dtn-interest mailing list > dtn-interest@irtf.org > https://www.irtf.org/mailman/**listinfo/dtn-interest<https://www.irtf.org/mailman/listinfo/dtn-interest> >
- [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Amy Alford
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Burleigh, Scott C (313B)
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Burleigh, Scott C (313B)
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Amy Alford
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig
- Re: [dtn-interest] Comments on RFC 5050 Amy Alford
- [dtn-interest] Re(2): Comments on RFC 5050 Peter Lovell
- Re: [dtn-interest] Re(2): Comments on RFC 5050 Amy Alford
- Re: [dtn-interest] Comments on RFC 5050 Michael Noisternig