Re: [dtn-security] Header Encryption

"Ivancic, William D. (GRC-RHN0)" <> Fri, 17 July 2009 17:58 UTC

Received: from ( []) by (8.13.8/8.13.8) with ESMTP id n6HHw5sf017865 for <>; Fri, 17 Jul 2009 10:58:05 -0700
Received: from ( []) by (Postfix) with ESMTP id 0D17B2D81B6; Fri, 17 Jul 2009 12:56:16 -0500 (CDT)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id n6HHuFpc014187; Fri, 17 Jul 2009 12:56:15 -0500
Received: from ([]) by ([]) with mapi; Fri, 17 Jul 2009 12:56:15 -0500
From: "Ivancic, William D. (GRC-RHN0)" <>
To: Sushil Chaudhari <>, "" <>
Date: Fri, 17 Jul 2009 12:56:06 -0500
Thread-Topic: [dtn-security] Header Encryption
Thread-Index: AcoG+CsYD4EuVayXRDWqqrNBJDf4twADvBGA
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-07-17_12:2009-07-03, 2009-07-17, 2009-07-17 signatures=0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by id n6HHw5sf017865
Subject: Re: [dtn-security] Header Encryption
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Jul 2009 17:58:06 -0000

DTN header compression can be done similar to IPsec tunnel mode via first doing bundle-in-bundle and then encrypting the internal bundle using PCB of the BSP.  Basically you set a DTNsec tunnel mode.  I haven't done it, but that would be how one would do it.

IPsec if independent of DTN security.  If you want IPsec "for linux" use the tools I pointed to a few days ago.

IPsec Tools which get you SETKEY
The "IP" command on newer builds also has static key configuration capability.

There are a about 4 IKEv2 implementations I am aware of.  My personal preference for what I needed was StrongSwan.

Have fun with security.  Remember - Security is the Ultimate Denial of Service and Security Breaks everything.

If you are trying to learn DTN, my recommendation is do it without security first.

>-----Original Message-----
>From: [mailto:dtn-
>] On Behalf Of Sushil
>Sent: Friday, July 17, 2009 12:02 PM
>Subject: Re: [dtn-security] Header Encryption
>We are using BSP and while observing bundles on Wireshark, the header
>seems to be unencrypted. Also as per draft-irtf-dtnrg-bundle-security-
>08, "every bundle must contain a primary block that contains the source
>and destination EID's that can not be encrypted"
>My question is,
>1.Do we have some method for header encryption?
>2.Does DTN2 can be used with IPSEC? if not do we need additional
>convergence layer for the support to IPSEC?
>dtn-security mailing list