Re(7): [dtn-interest] "security destination"
Lloyd Wood <L.Wood@surrey.ac.uk> Sun, 14 October 2007 17:14 UTC
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by webbie.berkeley.intel-research.net (8.11.6/8.11.6) with ESMTP id l9EHENC26635 for <dtn-interest@mailman.dtnrg.org>; Sun, 14 Oct 2007 10:14:23 -0700
X-IronPort-AV: E=Sophos;i="4.21,274,1188770400"; d="scan'208";a="155741745"
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 14 Oct 2007 20:14:17 +0200
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l9EIEHDx020595; Sun, 14 Oct 2007 20:14:17 +0200
Received: from cisco.com (mrwint.cisco.com [64.103.71.48]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l9EIECUh026632; Sun, 14 Oct 2007 18:14:17 GMT
Received: from lwood-wxp01.cisco.com (ams3-vpn-dhcp71.cisco.com [10.61.64.71]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id TAA14138; Sun, 14 Oct 2007 19:14:11 +0100 (BST)
Message-Id: <200710141814.TAA14138@cisco.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sun, 14 Oct 2007 19:14:10 +0100
To: Peter Lovell <peter.lovell@sparta.com>
From: Lloyd Wood <L.Wood@surrey.ac.uk>
Subject: Re(7): [dtn-interest] "security destination"
Cc: dtn interest <dtn-interest@mailman.dtnrg.org>
In-Reply-To: <20071013142418.1393143275@127.0.0.1>
References: <20071012000653.10852187@127.0.0.1> <8E507634779E22488719233DB3DF9FF001D67791@IMCSRV4.MITRE.ORG> <470F9F01.6030501@cs.tcd.ie> <8E507634779E22488719233DB3DF9FF001D677E9@IMCSRV4.MITRE.ORG> <20071012194224.1126038132@127.0.0.1> <200710122021.VAA06187@cisco.com> <20071013142418.1393143275@127.0.0.1>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Authentication-Results: ams-dkim-1; header.From=L.Wood@surrey.ac.uk; dkim=neutral
Sender: dtn-interest-admin@mailman.dtnrg.org
Errors-To: dtn-interest-admin@mailman.dtnrg.org
X-BeenThere: dtn-interest@mailman.dtnrg.org
X-Mailman-Version: 2.0.13
Precedence: bulk
List-Unsubscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@mailman.dtnrg.org?subject=unsubscribe>
List-Id: Delay Tolerant Networking Interest List <dtn-interest.mailman.dtnrg.org>
List-Post: <mailto:dtn-interest@mailman.dtnrg.org>
List-Help: <mailto:dtn-interest-request@mailman.dtnrg.org?subject=help>
List-Subscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@mailman.dtnrg.org?subject=subscribe>
List-Archive: <http://mailman.dtnrg.org/pipermail/dtn-interest/>
At Saturday 13/10/2007 10:24 -0400, Peter Lovell wrote: >Hi lloyd, hi Peter - inline below. >On Fri, Oct 12, 2007, Lloyd Wood <L.Wood@surrey.ac.uk> wrote: > >>At Friday 12/10/2007 15:42 -0400, Peter Lovell wrote: >>>This discussion is indeed helpful. >>> >>>Parts are turning, though, on semantics and definitions so I'll add a >>>few thoughts. >>> >>>Stephen views the suggestion as "routing" and I think that's too narrow. >>>It can be viewed that way but is not quite the same. >>> >>>It's worthwhile to note, as Susan mentioned, that the push/pop >>>suggestion does not *add* a new pathing requirement. That has already >>>been done by the use of security-destination fields in security blocks. >>>The suggestion is not adding the path requirement but is just an >>>implementation mechanism to help make the requirement work, and get >>>bundles properly to their destinations. If we don't want to have such a >>>pathing requirement then the solution is to disallow security- >>>destination. If there are security-destinations then there's a path >>>requirement. It's that simple. Choose one. >> >>What if the specified security destination is the same as the final endpoint? >>Using the security destination in that way with multiple nested popping at >>the same destination avoids imposing any pathing requirement, imo; you >>can use a security destination without a path requirement. >> >>This could allow security 'tunnelled' in a separate reliability wrapper, as is >>commonly done by reliable protocols - with both the error detection 'tunnel' >>and the inner encryption being removed at the final endpoint. >>Previously suggested on in [1]. >> >>(Looping could be addressed with a TTL/hopcount mechanism.) >> >>L. >> >>[1] http://mailman.dtnrg.org/pipermail/dtn-interest/2007-September/002917.html > > >If the security destination is the same as the final bundle destination >then it could work that way. > >However you and others have described scenarios where various nodes have >limited ability, such as >>My understanding is that most intended uses of DTN nodes >>are for embedded nodes -- that is, nodes not capable of >>running Windows. >Nodes such as these might not have the necessary capabilities. My take here is that such embedded nodes will want reliable delivery of data. The only current way to get that reliability and resistance to introduced errors with DTN protocols (bundle and LTP) is to implement the security frameworks and reuse security for reliability (outlined in the LTP optional extensions draft and in the irtf-dtnrg-bundle-checksum draft.) As you say, such nodes likely won't have the necessary horsepower/resources to implement the security frameworks. Yet, they do need reliable delivery, so likely won't look to DTN protocols for their needs. I think this is a missed opportunity for DTN, which is aimed more at the 'high end' of processing power. >In addition, network configurations using an insecure dtnet to connect >two secure subnetworks may wish to super-protect the traffic between the >gateways just to make it look uniform, in addition to any end-to-end >protection there might be. The keys and ciphersuites used might exist >only at the bastion gateways, and perhaps the storage and processing >power too. Yes, that problem had given me pause for thought earlier. Let's examine that scenario in more detail. A - G1 - C1 - C2 - C3 ... Cn - G2 - B A needs to communicate with B via security bastion gateways G1 and G2. The private DTN networks that A and B reside in are connected by a carrier network C, with multiple hops between G1 and G2. A and B are communicating via the bundle protocol. It's a DTN network, so connectivity is intermittent at best. Now, A and B don't implement security per se, but do want to ensure reliable communication between them, so they have to have an end-to-end checksum. In the bundle protocol, such a checksum can only get implemented via the bundle security protocol, via either a private key or via an known public-keyed or insecure method outlined in irtf-dtnrg-bundle-checksum-00. G1 and G2 implement more security, so they add a(nother) security layer. Now, when G1 hands a bundle to C1, the first node in the third-party carrier network, C1 has to know that the bundle it has just been handed is actually not corrupted and worth expending the effort on forwarding across the carrier network C to G2. But C1 doesn't have G1's private keys, so it doesn't know about the worth of the bundle content that it has just been handed, which contains opaque sections of bits. Errors in these sections can't be detected. Another bundle checksum is needed - one that G1 has computed and C1 can use to validate the bundle. Each node has this problem - 'is the bundle I've just been handed even worth forwarding on'? Thus, a reliability checksum needs to be added by G1 outside the encryption, to allow verification by each node of C that Ck has received the bundle correctly from Ck-1, and is actually going to forward something that won't just be discarded at G2, and, if discarded there, should have been discarded much earlier to conserve network resources. Conserving network resources is pretty important for bundle networks - unlike the terrestrial Internet, you can't just send on the corrupted frame to the endnode to finally detect the problem, discard the frame, and expect resends to take care of it. (There's a weak analogy with ATM early/partial packet discard here, as far as conserving resources goes.) Unlike the Internet, the cost of delivery is higher; there may be no chance of a resend at a late point of error detection as nodes are no longer connected, though the chance of a resend earlier when e.g. C1 and C2 are still talking may be possible. But for that local resend to work, C2 needs to be able to check the validity of the bundle it receives and detect errors. As the bundle content is encrypted with G1's key which C doesn't have, another checksum is needed around that. This reliability check for third-party carriage of encrypted content is quite important, given sparse resources in bundle networks. C needs a reason to know that this bundle is worth carrying, rather than just drop it as encrypted noise it can't check in favour of its own bundles that it can decode, check or parse for errors, and G2 wants to receive a bundle known to be error-free. (We have talked about this in the security considerations of draft-irtf-dtnrg-bundle-checksum-00, which outlines the drawbacks to implementing the approach in draft-irtf-dtnrg-bundle-checksum-00.) So, the final picture looks like this: A - G1 - C1 - C2 - C3 ... Cn - G2 - B A ------- e2e reliability -------- B G1 ---- added security --- G2 G1 -- subnet reliability - G2 There's three layers there. Pathing is used because the (outer G) security destination is different. The security destination G needs to implement push-pop to support the outer reliability checksum that is needed so that C can recognise that all of G's content, including the encrypted content, is transferred correctly, and do resends internal to C nodes if necessary. Does the BSP as-is cover this scenario? (An alternative would be mandate that the convergence layers implement some sort of checksum over bundle payloads, which covers each hop. But that is weaker than the subnet checksum, as it doesn't cover programming errors or single event upsets in the nodes, and recomputing a checksum at each node actually takes more resources overall. A single subnet checksum is far preferable. Reliability is best implemented top-down, not bottom-up, in accordance with the end-to-end principle.) >So although the scheme you describe will work, BSP has already included >extended capability allowing intermediate security destinations. My >intent is to make that work reliably, rather than making more extensive >changes to BSP. 'reliably' has its own semantic connotations, of course. Here, I'm using it to mean 'without errors introduced in transmission or within a bundle node'. cheers, L. >Regards.....Peter
- Re(7): [dtn-interest] "security destination" Lloyd Wood
- Re(7): [dtn-interest] "security destination" Peter Lovell
- Re(6): [dtn-interest] "security destination" Lloyd Wood
- Re(6): [dtn-interest] "security destination" Peter Lovell
- RE: [dtn-interest] "security destination" Symington, Susan F.
- Re: [dtn-interest] "security destination" Stephen Farrell
- RE: [dtn-interest] "security destination" Symington, Susan F.
- Re: [dtn-interest] "security destination" Stephen Farrell
- [dtn-interest] "security destination" Peter Lovell