Re(2): [dtn-security] BSP questions

"Peter Lovell" <peter.lovell@sparta.com> Tue, 06 February 2007 14:41 UTC

Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by webbie.berkeley.intel-research.net (8.11.6/8.11.6) with ESMTP id l16EfeY29241 for <dtn-security@mailman.dtnrg.org>; Tue, 6 Feb 2007 06:41:40 -0800
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id l16Efdeo009941; Tue, 6 Feb 2007 08:41:39 -0600
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id l16EfcFK026376; Tue, 6 Feb 2007 08:41:39 -0600
Received: from [192.168.4.103] ([157.185.80.253]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Feb 2007 09:41:37 -0500
From: "Peter Lovell" <peter.lovell@sparta.com>
To: <dtn-security@mailman.dtnrg.org>, Susan <susan@mitre.org>
Cc: "Howard Weiss" <howard.weiss@sparta.com>
Subject: Re(2): [dtn-security] BSP questions
Date: Tue, 6 Feb 2007 09:41:36 -0500
Message-Id: <20070206144136.143416340@127.0.0.1>
In-Reply-To: <8E507634779E22488719233DB3DF9FF0014B1749@IMCSRV4.MITRE.ORG>
References: <20070206133129.1301477151@127.0.0.1> <8E507634779E22488719233DB3DF9FF0014B1749@IMCSRV4.MITRE.ORG>
X-Mailer: CTM PowerMail version 5.5.3 build 4480 English (PPC) <http://www.ctmdev.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 06 Feb 2007 14:41:37.0671 (UTC) FILETIME=[E8070970:01C749FC]
Sender: dtn-security-admin@mailman.dtnrg.org
Errors-To: dtn-security-admin@mailman.dtnrg.org
X-BeenThere: dtn-security@mailman.dtnrg.org
X-Mailman-Version: 2.0.13
Precedence: bulk
Reply-To: dtn-security@mailman.dtnrg.org
List-Unsubscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@mailman.dtnrg.org?subject=unsubscribe>
List-Id: DTN Security Discussion <dtn-security.mailman.dtnrg.org>
List-Post: <mailto:dtn-security@mailman.dtnrg.org>
List-Help: <mailto:dtn-security-request@mailman.dtnrg.org?subject=help>
List-Subscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@mailman.dtnrg.org?subject=subscribe>
List-Archive: <http://mailman.dtnrg.org/pipermail/dtn-security/>

Hi Susan,

this is as I expected, and how I have been doing the implementation. I
thought I'd check, though, as strictly end-to-end would make a few
things easier. Worth a try :)

Cheers.....Peter

p.s. yes - clarifying text in the spec would be good


>I believe that the term "end-to-end" here was intended to mean from
>security source to security destination, where the security source is
>not necessarily the source of the bundle, and the security destination
>is not necessarily the destination of the bundle. This
>"end-to-endishness" is described in more detail in the Security
>Overview document. An end-to-end ciphersuite is distinguished from a
>"hop-by-hop" ciphersuite by the fact that the hop-by-hop ciphersuite is
>only intended to be used between adjacent nodes and never across
>multiple nodes. 
>
>To avoid others having the same question as you, it seems we should add
>some clarifying text to explain this, because the BSP is normative
>whereas the Security Overview is not.
>
>-susan
>*****************************************************************
>Susan Symington
>The MITRE Corporation
>susan@mitre.org
>703-983-7209 (voice)
>703-983-7142 (fax)
>******************************************************************
> 
>
>>-----Original Message-----
>>From: dtn-security-admin@mailman.dtnrg.org 
>>[mailto:dtn-security-admin@mailman.dtnrg.org] On Behalf Of Peter
>Lovell
>>Sent: Tuesday, February 06, 2007 8:31 AM
>>To: dtn-security@mailman.dtnrg.org
>>Cc: Howard Weiss
>>Subject: [dtn-security] BSP questions
>>
>>a question arising from doing the implementation ...
>>
>>Bundle security spec 2.3 description for PS includes the statement
>>"The ciphersuite ID MUST be documented as an end-to-end
>authentication-
>>ciphersuite or as an end-to-end error-detection-ciphersuite."
>>
>>Is it the intent that PS is only ever end-to-end? It can never be
>added
>>at intermediate points such as a bastion gateway. Gateway-to-gateway
>>would be done using encapsulation (tunneling), so the gateway would be
>>the source for the encapsulated bundle. If this is the intent then
>>several other issues no longer exist.
>>
>>Thanks.....Peter
>>